Transcript
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    1/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    2/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Hacking WebserversModule 12

    Engineered by Hackers. Presented by Professionals.

    E t h ic a l H a c k in g a n d C o u n t e rm e a s u r e s v8

    Mo du le 12: Hacking WebserversExam 312-50

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1601

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    3/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claims Responsibility

    Monday, September 10th, 2012

    Final update: GoDaddy is up, and claims that the outage was due to internal errors

    and not a DD0S attack.

    According to many customers, sites hosted by major web host and domain registrar

    GoDaddy are down. According to the official GoDaddy Twitter account the company is

    aware of the issue and is working to resolve it.

    Update: customers are comp laining that GoDaddy hosted e-mail accounts are down as

    well, along with GoDaddy phone service and all sites using GoDaddy's DNS service.

    Update 2: A member of Anonymous known as AnonymousOwn3r is claiming

    responsibility, and makes it clear this is not an Anonymous collective action.

    A tipster tells us tha t the technical reason for the failure is being caused by the

    inaccessibility of GoDaddy's DNS servers specifically CNS1.SECURESERVER.NET,

    CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.

    http:/ / techcrunch.com

    Copyright byEG-G*ancil.All Rights Reserved. Reproduction is Strictly Prohibited.

    Security News

    GoD addy Outage Ta kes Down Millions of Sites,Anonymous M em ber C laim s R esponsibili ty

    Nnus

    Source: http://techcrunch.com

    Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a

    DD0 S attack.

    According to many customers, sites hosted by major web host and domain registrar GoDaddy

    are down. According to the official GoDaddy Twitter account, the company is aware of the

    issue and is working to resolve it.

    Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well,

    along with GoDaddy phone service and all sites using GoDaddy's DNS service.

    Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and

    makes it clear this is not an Anonymous collective action.

    A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of

    GoDaddy's DNS servers - specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,

    and CNS3.SECURESERVER.NET are failing to resolve.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1602

    http://techcrunch.com/http://techcrunch.com/http://techcrunch.com/http://techcrunch.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    4/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    AnonymousOwn3rs bio reads "Security leader of #Anonymous (Official member")." Theindividual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was

    targeted.

    Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the

    service, and the company has been the center of a few other controversies. However,

    AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did

    this attack."

    Copyright 2012 AOL Inc.

    By Klint Finley

    http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1603

    http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    5/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Module Objectives CUrt1fW4

    EHttlMUl ttMhM

    J IIS Webserver Architecture J Countermeasures

    J Why Web Servers are Compromised? J How to Defend Against Web Server

    J Impact of Webserver AttacksAttacks

    J Webserver AttacksJ Patch Management

    J Webserver Attack Methodology /L ^ J Patch Management ToolsJ Webserver Attack Tools J Webserver Security Tools

    J Metasploit Architecture J Webserver Pen Testing Tools

    J Web Password Cracking Tools J Webserver Pen Testing

    Copyright by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

    ^ M o d ule O b je ctiv es

    *> Often, a breach in security causes more damage in terms of goodwill than in actual

    quantifiable loss. This makes web server security critical to the normal functioning of an

    organization. Most organizations consider their web presence to be an extension ofthemselves. This module attempts to highlight the various security concerns in the context of

    webservers. After finishing this module, you will able to understand a web server and its

    architecture, how the attacker hacks it, what the different types attacks that attacker can carry

    out on the web servers are, tools used in web server hacking, etc. Exploring web server security

    is a vast domain and to delve into the finer details of the discussion is beyond the scope of this

    module. This module makes you familiarize with:

    e IIS Web Server Architecture e Countermeasures

    e Why Web Servers Are Compromised? e How to Defend Against Web

    e Impact of Webserver AttacksServer Attacks

    e Webserver Attackse Patch Management

    e Webserver Attack Methodology0 Patch Management Tools

    Q Webserver Attack Toolse Webserver Security Tools

    e Metasploit Architecturee Webserver Pen Testing Tools

    e Web Password Cracking Tools e Webserver Pen Testing

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1604

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    6/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHModule Flow

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    M o d u l e F lo w

    To understand hacking web servers, first you should know what a web server is, how

    it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts.

    4 m ) Webserver Concepts Webserver Attacks------

    Attack Methodology * Webserver Attack Tools

    Webserver Pen Testing Webserver Security Tools

    y Patch Management Counter-measures

    This section gives you brief overview of the web server and its architecture. It will also explain

    common reasons or mistakes made that encourage attackers to hack a web server and become

    successful in that. This section also describes the impact of attacks on the web server.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1605

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    7/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Webserver Market Shares

    I_______

    I_______

    I________I_______ I________I

    64.6%Apache

    Microsoft - IIS

    LiteSpeed I 1.7%

    Google Server | 1.2%

    W e b S e rv e r M a r k e t S h a re s

    Source: http://w3techs.com

    The following statistics shows the percentages of websites using various web servers. From the

    statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that

    Microsoft IIS server is used by 17.4 % of users.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1606

    http://w3techs.com/http://w3techs.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    8/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    J -----80%

    64.6%t

    Apache

    17.4%Microsoft IIS

    %13Nginx

    LiteSpeed

    Google Server

    Tomcat

    Lighttpd

    7050 604010 20 30

    FIGURE 12.1: Web Server Market Shares

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1607

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    9/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Open Source W ebserver C E HArchitecture

    I

    AttacksSite Admin

    r

    Email

    MySQLi fCompiled Extension

    Site Users

    :11 a

    Linux

    1 I * I......... Apache

    PHP

    File System

    ^Applications

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    O p e n S o u r ce W e b S e r v e r A r c h i te c t u r e

    The diagram bellow illustrates the basic components of open source web serverB

    architecture.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1608

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    10/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Attacks

    1 U

    Site Admin

    Site Users

    & *A

    Internet

    Linux

    EmailApache

    VPHP

    File System

    J

    f

    Compiled Extension MySQL yApplications

    "

    FIGURE 12.2: Open Source Web Server Architecture

    Where,

    Linux - the server's operating system

    Apache - the web server component

    MySQL - a relational database

    PHP - the application layer

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1609

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    11/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    IIS Web Server Architecture CIE H

    Internet InformationServices (IIS) for Windows

    Server is a flexible, secure,

    and easy-to-manage web

    server for hosting anything

    on the web

    HTTP Protocol

    Stack (HTTP.SYS)

    AppDomain

    Managed

    Modules

    Forms

    Authentication

    Native Modules

    Anonymous

    authentication,

    managed engine, IIS

    certificate mapping,static file, default

    document, HTTP cache,

    HTTP errors, and HTTP

    logging

    Application Pool

    Web Server Core

    Begin request processing,

    authentication,

    authorization, cache

    resolution, handlermapping, handler pre-

    execution, release state,

    update cache, update

    log, and end request

    processing

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    Client

    i * a f t p

    Kernel Mode

    User Mode :

    Svchost.exe +

    Windows Activation Service_________ (WAS)__________

    WWW Service

    External Apps

    application

    Host.config

    IIS W e b S e r v e r A r c h i te c t u r e---------------------------------------3

    c 3 IIS, also known as Internet Information Service, is a web server application developed

    by Microsoft that can be used with Microsoft Windows. This is the second largest web afterApache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP,

    HTTPS, FTP, FTPS, SMTP, and NNTP.

    The diagram that follows illustrates the basic components of IIS web server architecture:

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1610

    http://http.sys/http://http.sys/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    12/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Client

    HTTP Protocol

    Stack (HTTP.SYSIInternet

    AppDomain

    Managed

    Modules

    FormsAuthentication

    Native Modules

    Anonymous

    authentication,

    Managed engine, IIS

    certificate mapping,

    static file, default

    document, HTTP cache,

    HTTP errors, and HTTP

    logging

    Kernel Mode

    Application Pool

    Web Server Core

    Begin requestprocessing/

    authentication,

    authorization, cache

    resolution, handler

    mapping, handle r pre*

    execution, release state,

    update cache, update

    log, and end request

    processing

    User Mode

    Svchost.exe

    Windows Activation Service

    ( W A S )

    WWW Service

    application

    Host.config

    FIGURE 12.3: IIS Web Server Architecture

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1611

    http://http.sysi/http://http.sysi/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    13/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHWebsite Defacement

    FieMl few Hep

    * * W http://juggyboy.com/index.aspx v ^ j_>

    Y o u a r e O W N E D ! ! ! ! ! ! !

    H A C K E D !

    Hi Master, Your website ow ned

    by US, Hacker!

    Next target - microsoft.com

    J Web defacement occurs when

    an intruder maliciously alters

    visual appearance of a web

    page by inserting or

    substituting provocative and

    frequently offending data

    J Defaced pages exposes visitors

    to some propaganda or

    misleading information until

    the unauthorized change is

    discovered and corrected

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    W ebsite D efacem ent

    Website defacement is a process of changing the content of a website or web page

    by hackers. Hackers break into the web servers and will alter the hosted website by creatingsomething new.

    Web defacement occurs when an intruder maliciously alters the visual appearance of a web

    page by inserting or substituting provocative and frequently offensive data. Defaced pages

    expose visitors to propaganda or misleading information until the unauthorized change is

    discovered and corrected.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1612

    http://juggyboy.com/index.aspxhttp://juggyboy.com/index.aspx
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    14/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    15/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Unnecessary default, backup, or

    sample files

    Installing the server w ith default

    settings

    Improper file and

    directory permissions

    Security conflicts with business ease-of-

    use case

    Default accounts with their default or no

    passwords

    Misconfigurations in web server, operating systems,

    and networks

    Security flaws in the serv er software, OS and

    applications

    Lack of proper security policy, procedures, and

    maintenance

    Misconfigured SSL certificates and encryption

    settings

    Bugs in server software, OS, and

    web applications

    Improper authentication with external

    systems

    Use of self-signed certificates and

    default certificates

    Unnecessary services en abled, including content

    management and remote administration

    Administrative or debugging functions that are

    enabled or accessible

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    W h y W e b S e rv e rs A re C o m p r o m is e d

    There are inherent security risks associated with web servers, the local area networks

    that host web sites and users who access these websites using browsers.

    0 Webmaster's Concern: From a webmaster's perspective, the biggest security concern is

    that the web server can expose the local area network (LAN) or the corporate intranet

    to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers,

    or the compromise of information itself. Software bugs present in large complex

    programs are often considered the source of imminent security lapses. However, web

    servers that are large complex devices and also come with these inherent risks. In

    addition, the open architecture of the web servers allows arbitrary scripts to run on the

    server side while replying to the remote requests. Any CGI script installed at the site

    may contain bugs that are potential security holes.

    Q Network Administrator's Concern: From a network administrator's perspective, a

    poorly configured web server poses another potential hole in the local network's

    security. While the objective of a web is to provide controlled access to the network, too

    much of control can make a web almost impossible to use. In an intranet environment,

    the network administrator has to be careful about configuring the web server, so that

    the legitimate users are recognized and authenticated, and various groups of users

    assigned distinct access privileges.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1614

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    16/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    6 End User's Concern: Usually, the end user does not perceive any immediate threat, as

    surfing the web appears both safe and anonymous. However, active content, such as

    ActiveX controls and Java applets, make it possible for harmful applications, such as

    viruses, to invade the user's system. Besides, active content from a website browser can

    be a conduit for malicious software to bypass the firewall system and permeate the

    local area network.

    The table that follows shows the causes and consequences of web server compromises:

    Cause Consequence

    Installing the server with default

    settings

    Unnecessary default, backup, or sample files

    Improper file and directory permissions Security conflicts with business ease-of-use

    case

    Default accounts with their default

    passwords

    Misconfigurations in web server, operating

    systems and networks

    Unpatched security flaws in the server

    software, OS, and applications

    Lack of proper security policy, procedures,

    and maintenance

    Misconfigured SSL certificates and

    encryption settings

    Bugs in server software, OS, and web

    applications

    Use of self-signed certificates and

    default certificates

    Improper authentication with external

    systems

    Unnecessary services enabled, including

    content management and remote

    administration

    Administrative or debugging functions that

    are enabled or accessible

    TABBLE 12.1: causes and consequences of web server compromises

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1615

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    17/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Impact of Webserver Attacks CEHCrt1fW4 itfciul NmIm

    Website defacement

    Root access to other

    applications or servers

    Data tampering

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    I m p a c t o f W e b S e rv e r A tta c k s

    Attackers can cause various kinds of damage to an organization by attacking a web

    server. The damage includes:

    0 Compromise of user accounts: Web server attacks are mostly concentrated on user

    account compromise. If the attacker is able to compromise a user account, then the

    attacker can gain a lot of useful information. Attacker can use the compromised user

    account to launch further attacks on the web server.

    0 Data tampering: Attacker can alter or delete the data. He or she can even replace the

    data with malware so that whoever connects to the web server also becomes

    compromised.

    0 Website defacement: Hackers completely change the outlook of the website by

    replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own.

    0 Secondary attacks from the website: Once the attacker compromises a web server, he

    or she can use the server to launch further attacks on various websites or client systems.

    0 Data theft: Data is one of the main assets of the company. Attackers can get access to

    sensitive data of the company like source code of a particular program.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1616

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    18/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    0 Root access to other applications or server: Root access is the highest privilege one gets

    to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server.

    Attackers can perform any action once they get root access to the source.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1617

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    19/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHModule Flow

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    M o d u l e F lo w

    Considering that you became familiar with the web server concepts, we move forward

    to the possible attacks on web server. Each and every action on online is performed with thehelp of web server. Hence, it is considered as the critical source of an organization. This is the

    same reason for which attackers are targeting web server. There are many attack technique

    used by the attacker to compromise web server. Now we will discuss about those attack

    techniques.

    attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking,

    web application attacks, etc.

    Webserver Concepts Webserver Attacks

    ^ Attack Methodology ^ Webserver Attack Tools

    Webserver Pen Testing J 3 Webserver Security Tools

    -y Patch Management Counter-measures

    Module 12Page 1618 Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    20/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Web Server Misconfiguration CEH

    Server misconfiguration refers to configuration weaknesses in web infrastructure that can beexploited to launch various attacks on web servers such as directory traversal, server intrusion,

    and data theft

    Remote Administration

    Functions

    Unnecessary Services

    Enabled

    Verbose debug/error

    Anonymous or Default

    Users/Passwords

    Misconfigured/Default

    SSL Certificates

    Sample Configuration,

    and Script Files

    Copyright byEG-Gtlincil.All Rights Reserved. Reproduction is Strictly Prohibited.

    W e b S e rv e r M is c o n f ig u r a tio n

    Web servers have various vulnerabilities related to configuration, applications, files,

    scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the

    network of a company. These loopholes of the server can help attackers to bypass user

    authentication. Server misconfiguration refers to configuration weaknesses in web

    infrastructure that can be exploited to launch various attacks on web servers such as directory

    traversal, server intrusion, and data theft. Once detected, these problems can be easily

    exploited and result in the total compromise of a website.

    e Remote administration functions can be a source for breaking down the server for the

    attacker.

    Some unnecessary services enabled are also vulnerable to hacking.

    0 Misconfigured/default SSL certificates.

    Verbose debug/error messages.

    Q Anonymous or default users/passwords.

    Sample configuration and script files.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1619

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    21/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHWeb Server MisconfigurationExample

    httpd.conf file on an Apache server

    SetHandler server-status

    This configuration allows anyone to view the server status page, which contains detailed inform ation about

    the curren t use of the web server, including informa tion a bout the curren t hosts and requests being processed

    php.ini file

    display_error = On

    log_errors = On

    error_log = syslog

    ignore repeated errors = Off

    This configuration gives verbose error messages

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    f I W e b S e rv e r M is c o n f ig u r a t io n E x a m p leran n

    L 1 : J Consider the httpd.conf file on an Apache server.

    SetHandler server-status

    FIGURE 12.5: httpd.conf file on an Apache server

    This configuration allows anyone to view the server status page that contains detailed

    information about the current use of the web server, including information about the current

    hosts and requests being processed.

    Consider another example, the php.ini file.

    display_error = On

    log_errors - On

    error_log = syslog

    ignore repeated errors = Off

    FIGURE 12.6: php.inifile on an Apache server

    This configuration gives verbose error messages.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1620

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    22/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    3 j My Computer

    +1 3Vbfloppy (A:)/ LocalDt>k((

    I B Ctocumcnte and Scttngs

    !H t J Inetpub

    Volume in drive C has no label.Volume Serial Number is D45E-9FEE

    http://server.eom/s

    cripts/..%5c../Wind

    0ws/System32/cm

    d.exe?/c+dir+c:\

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    D ir e c to r y T r a v e r s a l A tta c k s

    Web servers are designed in such a way that the public access is limited to some

    extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by

    manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the

    root directory and access sensitive information in the system.

    E Q-j!v!v!Tff xl

    company

    downloads1

    E O imagesO news

    scripts

    C J support

    Volume in drive C has no label.

    Volume Serial Number is D45E-9FEE

    1,024 .rnd

    0 123. text

    0 AUTOEXEC.BAT

    CATALINA_HOME

    0 CONFIG.SYS

    Documents and Settings

    Downloads

    Intel

    Program Files

    Snort

    WINDOWS

    569,344 WlnDump.exe

    368 bytes

    ,115,200 bytes free

    Directory of C:\

    06/02/2010 11:31AM

    09/28/2010 06:43 PM

    05/21/2010 03:10 PM

    09/27/2010 08:54 PM

    05/21/2010 03:10 PM

    08/11/2010 09:16 AM

    09/25/2010 05:25 PM

    08/07/2010 03:38 PM

    09/27/2010 09:36 PM

    05/26/2010 02:36 AM

    09/28/2010 09:50 AM

    09/25/2010 02:03 PM

    7 File(s) 570,

    13 Dir( s) 13,432

    http://server.eom/s

    cripts/..%5c../Wind

    0ws/System32/cm

    d.exe?/c+dir+c:\

    F I G U R E 1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

    All Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1621

    http://server.eom/shttp://server.eom/shttp://server.eom/shttp://server.eom/s
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    23/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    HTTP Resp on se Splitting Attack C E H(ttlfwtf itkNjI NMhM

    Input =Jason

    HTTP/1.1 200 OK

    Set-Cookie: author=Jason

    Input =JasonTh eHacker\r\n HTTP/ l.l 200 OK\r\n

    First Response (Controlled by Attacker)

    Set-Cookle: author=JasonTheHacker

    HTTP/1.1200 OK

    Second Response

    HTTP/1.1 200 OK

    y

    HTTP response splitting attack involves addingheader response data into the input field so

    that the server split the response into two

    responses

    The attacker can control the first response to

    redirect user to a malicious website whereas

    the other responses will be discarded by web

    browser

    String author =request.getParameter(AUTHOR_PARAM) ;

    Cookie cookie = newCookie("author , author);cookie.setMaxAge(cookieExpiration) ;response.addCookie(cookie);

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    H T T P R e s p o n s e S p l it t in g A tta c k

    An HTTP response attack is a web-based attack where a server is tricked by injecting

    new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS) Cross SiteRequest Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks.

    The attacker alters a single request to appear and be processed by the web server as two

    requests. The web server in turn responds to each request. This is accomplished by adding

    header response data into the input field. An attacker passes malicious data to a vulnerable

    application, and the application includes the data in an HTTP response header. The attacker can

    control the first response to redirect the user to a malicious website, whereas the other

    responses will be discarded by web browser.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1622

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    24/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Input =Jason

    HTTP/1.1 200 OK

    Set-Cookie: author=Jason

    Input =JasonTheHacker\r\nHTTP/l.l 200 OK\r\n

    First Response (Controlled by Attacker)

    Set-Cookie; author=JasonTheHacker

    HTTP/1.1 200 OK

    Second Response

    HTTP/1.1200 OK

    String author =request.getParameter(AUTHOR_PARAM) ;

    Cookie cookie = newCookie("author", author);cookie.setMaxAge(cookieExpiration) ;response.addCookie(cookie);

    o

    Si05

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    25/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Web Cache Poisoning Attack CEH

    h t tp : / /www.juggyboy .com/wel

    come.php?lang=

    An attacker forces the

    web server's cache to

    flush its actual cache

    content and sends a

    specially crafted

    request, which will be

    stored in cache

    Original Juggyboy page

    Attacker sends request to remove page from cache

    Normal response afterclearing the cache for juggyboy.com

    Attacker sends malicious requestthat generates two responses (4 and 6)

    Attacker gets first server response

    Attacker requests d juggyboy.com

    again to generate cache en try

    The second

    response of

    request [3that points to

    I attacker's page

    Attacker gets the second

    Address Page

    www.jujjyboy.com Attacker's page

    Poisoned Server Cache

    GEThttp://juggyboy.com/index.html

    HTTP/1.1Pragma: no-cache

    Host: juggyboy.com

    Accept-Charset: iso-8859-1, *,utf-8

    GEThttp://juggyboy.com/

    redir.php?site=%Od%OaContent-

    Length :%200%0d%0a%0d%0aHTTP/l.l%2

    02(X>%20OK%0d%0aLast-

    Modified :%20Mon,%2027%200ct%20200

    9%2014:50:18%20GMT*0d%0aConte nt-

    Length :%2020%0d%0aContcnt

    Typ:%20text/htmr%0d%0a%0d%0aAttack Pagc HTTP/1.1

    Host: Juggyboy.com

    GET

    http://juggyboy.com/index.html HTTP/1.1 Host: testsite.com

    User-Agent: Mozilla/4.7 [en]

    (WinNT; I)

    Accept-Charset: iso-8859-l,*,utf8

    Copyright byEG-Gtlincil.All Rights Reserved. Reproduction is Strictly Prohibited.

    W e b C a c h e P o i so n i n g A t ta c k

    Web cache poisoning is an attack that is carried out in contrast to the reliability of an

    intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned

    content instead of true and secured content when demanding the required URL through the

    web cache.

    An attacker forces the web server's cache to flush its actual cache content and sends a specially

    crafted request to store in cache. In the following diagram, the whole process of web cache

    poisoning is explained in detail with a step-by-step procedure.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1624

    http://www.juggyboy.com/welhttp://www.jujjyboy.com/http://juggyboy.com/index.htmlhttp://juggyboy.com/http://juggyboy.com/index.htmlhttp://juggyboy.com/index.htmlhttp://juggyboy.com/http://juggyboy.com/index.htmlhttp://www.jujjyboy.com/http://www.juggyboy.com/wel
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    26/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    http://www.juggyboy.com/wel

    come.php?lang=

    ..... ......>ind

    .ponse of

    po in t! t o

    :kef's page

    Addm\

    www.Im ^YLuy.cu m Ofigln.il Juggyboy page

    Server CacheI

    Attacker sends request to remove page from cache

    No rm al re sp on se af te rclearing the cache forjuggyboy.com

    Attacker sends m al icious request

    that gen erates two response s (4 and 6 )

    Attacker gets f i rs t server response

    The

    res!

    requ

    t h a t

    Attacker requests ajug gY bo y.c om

    again to generate cache entry

    _1_>_er gets the second ;

    ^onseofr eq u es t

    Address 1ig r

    www.JuKjjytiyy.to1n AtUckvr'vp^v

    Poisoned Server Cache

    Attack!

    .W

    GEThttp://juggyboy.com/indeM.html

    HTTP/1.1

    Pragma: no-cache

    Host: juggyboy.com

    Accept-Charset: iso-8859-1,T,utf-8

    GET http://juggyboy.com/

    rdir.php?site=%Od%OaContent-L*ngth:%200%Od%Oa%Od%OaHTTP/l.l%202009(2 OOKHOdKOa Last-Modified :%20Mon,%202 7%200ct%202009*2014:50:18K20GMT%0d%0aContent-Le ngt h: 2020%0d%0a Conte nt-Typ: %20text/html%0d %0a%0d%08

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    27/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    +

    Copyright by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    HTTP Resp onse H ijackingHTTP response hijacking is accomplished with a response splitting request. In this

    attack, initially the attacker sends a response splitting request to the web server. The server

    splits the response into two and sends the first response to the attacker and the second

    response to the victim. On receiving the response from web server, the victim requests for

    service by giving credentials. At the same time, the attacker requests the index page. Then the

    web server sends the response of the victim's request to the attacker and the victim remains

    uninformed.

    The diagram that follows shows the step-by-step procedure of an HTTP response hijacking

    attack:

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1626

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    28/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    FIGURE 12.10: HTTP Response Hijacking

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1627

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    29/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    S S H B r u t e f o r c e A t t a c k C E HCrt1fW4 itfciul lUclw(

    1^1 SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer

    unencrypted data over an insecure network

    Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel

    q SSH tunnels can be used to transmit malwares and other exploits to victims without being

    detected

    IMail Server

    SSH Server Web Server Application Server

    File Server

    InternetUser

    Attacker

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    SSH B r u t e F o r c e A t ta c k

    SSH protocols are used to create an encrypted SSH tunnel between two hosts in order

    to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH,first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the

    help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the

    login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other

    exploits to victims without being detected.

    IMail Server

    Attacker

    FIGURE 12.11: SSH Brute Force Attack

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1628

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    30/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHMan-in-theMiddle Attack

    \p oO* -a Webserver

    Attacker

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    J Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by interceptingand altering communications between an end-user and webservers

    J Attacker acts as a proxy such that all the communication between the user and Webserver passes

    through him

    Normal Traffic

    M a n in t h eM id d le A tta c k A man-in-the-middle attack is a method where an intruder intercepts or modifies the

    message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user

    such as online banking details, user names, passwords, etc. transferred over the Internet to the

    web server. The attacker lures the victim to connect to the web server through by pretending

    to be a proxy. If the victim believes and agrees to the attacker's request, then all the

    communication between the user and the web server passes through the attacker. Thus, the

    attacker can steal sensitive user information.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1629

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    31/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Normal Traffic

    es ..*

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    32/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    W ebserver Password C racking C EH

    * * * *

    An attacker tries to exploit

    weaknesses to hack well-chosen

    passwords

    Many hacking attempts start

    with cracking passwords and

    proves to the Webserver that

    they are a valid user

    Attackers use different methods

    such as social engineering,

    spoofing, phishing, using a Trojan

    Horse or virus, wiretapping,

    keystroke logging, etc.

    The most common passwords

    found are password, root,

    administrator, admin, demo, test,

    guest, qwerty, pet names, etc.

    Web form authentication cracking

    SSH Tunnels

    FTP servers

    SMTP servers

    Web shares

    Copyright byEG-G*ancil.All Rights Reserved. Reproduction is Strictly Prohibited.

    W e b S e rv e r P a s s w o r d C r a c k i n g

    ----- Most hacking starts with password cracking only. Once the password is cracked, the

    hacker can log in in to the network as an authorized person. Most of the common passwordsfound are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc.

    Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan

    horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to

    crack passwords.

    Attackers mainly target:

    Web form authentication cracking

    SSH tunnels

    0 FTP servers

    SMTP servers

    Web shares

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1631

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    33/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    EHW ebserver Password CrackingTechniques

    Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus,

    THC Hydra, etc.

    Passwords can be cracked by using following techniques:I

    4 HybridAttack

    A hybrid attack

    works similar to

    dictionary attack,

    but it adds numbers

    or symbols to the

    password attempt

    Copyright byEG-C*ancil.All Rights Reserved. Reproduction is Strictly Prohibited.

    gd Web Server Password C racking T echniques(77)_

    Passwords may be cracked manually or with automated tools such as Cain & Abel,

    Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password:

    Guessing: A common cracking method used by attackers is to guess passwords either by

    humans or by automated tools provided with dictionaries. Most people tend to use heir

    pets' names, loved ones' names, license plate numbers, dates of birth, or other weak

    pass words such as "QW ERTY," "password," "admin," etc. so that they can remember

    them easily. The same thing allows the attacker to crack passwords by guessing.

    Dictionary Attack: A dictionary attack is a method that has predefined words of various

    combinations, but this might also not be possible to be effective if the password consists

    of special characters and symbols, but compared to a brute force attack this is less time

    consuming.

    Brute Force Attack: In the brute force method, all possible characters are tested, for

    example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But

    this type of method is useful to identify one-word or two-word passwords. Whereas if a

    password consists of uppercase and lowercase letters and special characters, it might

    take months or years to crack the password, which is practically impossible.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1632

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    34/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Q Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and

    brute force attack. It also consists of symbols and numbers. Password cracking becomes

    easier with this method.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1633

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    35/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Web Application Attacks CEHCrt1fW4 itfciul NmIm

    , I f

    J Vulnerabilities in web applicat ions running on a Webserver provide a broad attack path forWebserver compromise

    A t , ' nSiterOss.rge,enia'0 f.s

    Olverf/,acks4ft,Cokie

    'ringsPe,T eCtrv

    Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    SL

    W e b A p p l ic a t io n A tta c k s

    Vulnerabilities in web applications running on a web server provide a broad attack

    path for web server compromise.

    Directory Traversal

    Directory traversal is exploitation of HTTP through which attackers are able to access

    restricted directories and execute commands outside of the web server root directory

    by manipulating a URL.

    Parameter/Form Tampering

    This type of tampering attack is intended to manipulate the parameters exchanged

    between client and server in order to modify application data, such as user credentials

    and permissions, price and quantity of products, etc.

    Cookie Tampering

    Cookie tampering is the method of poisoning or tampering with the cookie of the

    client. The phases where most of the attacks are done are when sending a cookie from

    the client side to the server. Persistent and non-persistent cookies can be modified by using

    different tools.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1634

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    36/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Command Injection Attacks

    Command injection is an attacking method in which a hacker alters the content of the

    web page by using html code and by identifying the form fields that lack validm

    constraints.

    I Buffer Overflow AttacksMost web applications are designed to sustain some amount of data. If that amountis exceeded, the application may crash or may exhibit some other vulnerable

    behavior. The attacker uses this advantage and floods the applications with too much data,

    which in turn causes a buffer overflow attack.

    Cross-Site Scripting (XSS) Attacks

    jr Cross-site scripting is a method where an attacker injects HTML tags or scripts into a

    target website.

    M

    users.

    Denial-of-Service (DoS) Attack

    A denial-of-service attack is a form of attack method intended to terminate the

    operations of a website or a server and make it unavailable to access for intended

    Unvalidated Input and File injection Attacks

    Unvalidated input and file injection attacks refer to the attacks carried by supplying

    an unvalidated input or by injecting files into a web application.

    Cross-Site Request Forgery (CSRF) Attack

    The user's web browser is requested by a malicious web page to send requests to a

    malicious website where various vulnerable actions are performed, which are notintended by the user. This kind of attack is dangerous in the case of financial websites.

    SQL Injection Attacks

    SQL injection is a code injection technique that uses the security vulnerability of a

    database for attacks. The attacker injects malicious code into the strings that are later

    on passed on to SQL Server for execution.

    Session Hijacking

    1131Session hijacking is an attack where the attacker exploits, steals, predicts, andnegotiates the real valid web session control mechanism to access the authenticated

    parts of a web application.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1635

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    37/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHModule Flow

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    M o d u l e F lo w

    _ So far we have discussed web server concepts and various techniques used by the

    attacker to hack web server. Attackers usually hack a web server by following a proceduralmethod. Now we will discuss the attack methodology used by attackers to compromise web

    servers.

    1 Webserver Concepts Webserver Attacks

    Attack Methodology Webserver Attack Tools

    Webserver Pen Testing i ) Webserver Security Tools

    y Patch Management Counter-measures

    This section provides insight into the attack methodology and tools that help at various stages

    of hacking.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1636

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    38/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    -

    W ebserver Attack Methodology C EH

    WebserverFootprint ing

    Informat ionGathering

    Hack ing

    Webserver PasswordsVulnerabi l i ty

    Scanning

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    W e b S e r v e r A tta c k M e th o d o lo g y

    Hacking a web server is accomplished in various stages. At each stage the attacker

    tries to gather more information about loopholes and tries to gain unauthorized access to theweb server. The stages of web server attack methodology include:

    0Information Gathering

    Every attacker tries to collect as much information as possible about the target web

    server. Once the information is gathered, he or she then analyzes the gathered information in

    order to find the security lapses in the current mechanism of the web server.

    ( Web Server Fo otprinting

    The purpose of footprinting is to gather more information about security aspects of a

    web server with the help of tools or footprinting techniques. The main purpose is to know

    about its remote access capabilities, its ports and services, and the aspects of its security.

    M irroring W ebsiteW 4 J )

    Website mirroring is a method of copying a website and its content onto another

    server for offline browsing.

    V ulnerability Scanning

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1637

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    39/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a

    web server. Vulnerability scanning is done with the help of various automated tools known as

    vulnerable scanners.

    Session Hijacking

    Session hijacking is possible once the current session of the client is identified. Completecontrol of the user session is taken over by the attacker by means of session hijacking.

    Ha cking Web Server Passw ords

    Attackers use various password cracking methods like brute force attacks, hybrid

    attacks, dictionary attacks, etc. and crack web server passwords.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1638

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    40/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHWebserver Attack Methodology:Information Gathering

    WHOis.netY3ur Domain Starting Place. ..

    UZ3

    WHOIS information for ebay.com:***

    [Querying who1s.vens1gn-grs.com]

    [whols.verislgn-grs.com]

    Whos Server Vereon 2.0

    Domain names in the .com and .net domains can now be reoistered

    with rrorv diftoront competing raaistrars. Go to http;///ww .intom

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    41/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Source: http://www.whois.net

    Whois allows you to perform a domain whois search and a whois IP lookup and search the

    whois database for relevant information on domain registration and availability. This can help

    provide insight into a domain's history and additional information. It can be used for

    performing a search to see who owns a domain name, how many pages from a site are listed

    with Google, or even search the Whois address listings for a website's owner.

    W H O is .n e tY o u r D o m a i n S t a r t in g P l a c e . . .

    WHOIS information for ebay.com:***

    [Querying whois.verisign-grs.com]

    [whois.verisign-grs.com]

    Whois Server Version 2.0

    Domain names in the .com and .net domains can now be registered

    with many different competing registrars. Go to http://www.internic.net

    for detailed information.

    Domain Name: EBAY.COM

    Registrar: MARKMONITOR INC.

    Whois Server: whois.markmonitDr.com

    Referral URL: http://www.markmonitor.com

    Name Server: SJC-DNS1.EBAYDNS.COM

    Name Server: SJC-DNS2.EBAYDNS.COM

    Name Server: SMF-DNS1.EBAYDNS.COM

    Name Server: SMF-DNS2.EBAYDNS.COM

    Status: dientDeleteProhibited

    Status: dientTransferProhibited

    Status: dientUpdateProhibited

    Status: serverDeleteProhibited

    Status: serverTransferProhibited

    Status: serverUpdateProhibited

    Updated Date: 15-sep2010Creation Date: 04-aug-1995

    Expiration Date: 03-aug2018

    F I G U R E 1 2 .1 3 : W H O I S I n fo r m a t i o n G a t h e r in g

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1640

    http://www.whois.net/http://www.internic.net/http://www.markmonitor.com/http://www.markmonitor.com/http://www.internic.net/http://www.whois.net/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    42/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    C EHUrt1fw4 ilhi ul lUthM

    Webserver Attack Methodology:Webserver Footprinting

    J Gather valuable system-level information such

    as account details, operating system, software

    versions, server names, and database schema

    details

    J Telnet a Webserver to footprint a Webserver and

    gather information such as server name, server

    type, operating systems, applications running,

    etc.

    J Use tool such as ID Serve, httprecon, and

    Netcraft to perform footprinting

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    W e b S e rv e r A tta c k M e th o d o l o g y : W e b s e r v e r

    F o o t p r i n t i n g

    The purpose of footprinting is to gather account details, operating system and other software

    versions, server names, and database schema details and as much information as possible

    about security aspects of a target web server or network. The main purpose is to know about its

    remote access capabilities, open ports and services, and the security mechanisms implemented.

    Telnet a web server to footprint a web server and gather information such as server name,

    server type, operating systems, applications running, etc. Examples of tools used for performing

    footprinting include ID Serve, httprecon, Netcraft, etc.

    Netcra ft

    Source: http://toolbar.netcraft.com

    Netcraft is a tool used to determine the OSes in use by the target organization. It has already

    been discussed in detail in the Footprinting and Reconnaissance module.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1641

    http://toolbar.netcraft.com/http://toolbar.netcraft.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    43/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    r i E T C K A F T

    Search Web by Domain

    Explore 1,045.745 web sites visited by use rs of the Netcraft Toolbar 3rd August 2012

    Search : search tips

    j site con tain s j microsoft lookup!exa m ple : s i te contains .netcraft.com

    Results for microsoft

    Found 252 sites

    Site Site Report First seen Netblock OS

    1. www.microsoft.com a a ug us t 1995 m icro so ft co rp citrix netscaler

    2. support.microsoft. com m october 1997 microsoft corp unknown

    3. technet.microsoft. com m a ug us t 1999 m icro so ft co rp citrix netscaler

    4. windov

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    44/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Webserver Footprinting Tools CEH

    httprecon 7.3 -http://www.nytimes.com:80/ I I

    Personal Security Freeware by Ste ve Gibson

    1111 S S m

    ^ ID ServeInternet Server Identifica.ion Utility, vl .02Personal Security Freeware by Stev

    Copyright (c) 2003 by Gibson Resea rch Corp.

    0

    I D S e r v eBackground Serv2r Query | Q8A/H elp |

    Errte* 0* copy Ipaste an Internet server UR_ or IP address here (example: www.microsdt.com):

    ' |www.google.coml

    w When an Internet URL IP has been provided above,^ piess this button to initiate a query of the specified server.

    Quety The SeverC2

    File Configuration Fingerprinting Repcrting Help

    Ta*get (Sun ONE Web Server 6.1)

    |h tb :// ^ |www.nytimes.com : 180

    GET existing j GET long equ estj GET non-ex sting] GET wrong protocol)

    HTTP/1.1 200OKDace: Thu, 11Oct 2012 09:34:37 GMT

    expires: Thu, 01Dec 1994 16:00:00 GMTcarhe-control: no-cachepragma: no-cacheSec-Cookie: ALT_ID=007f010021bb479dd5aa00SS; Expires09:34:37 GMT; Path=/; Domain .nytime3.com;Sec-cookie: adxcs=-; path=/; do!rain=.nytimes. cam

    Swve i query pcocessng

    Server gws

    Content-Length: 221 FXX SS Protectior: 1; mode-block

    XFromeOptions: SAMEORIG INConnection: close

    The seivei identified Ise* as :

    (3

    (4

    Goto ID Serve web page

    Matehfct (352 Implementations) | Fingerprint Details | Report Preview |

    Name

    a Oracle Application Server 10g 10.1.2.2.0S Sun Java System Web Server 7.0

    Abyss 2.5.0.0 X1

    V Apache 2.0.52V A pache 2.2.6V ru 1 n c n______________________

    Ready

    http://www.computec.ch

    h ttp://www. grc. com

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    W e b S e r v e r F o o t p r in t in g T o o ls

    We have already discussed about the Netcraft tool. In addition to the Netcraft tool,

    there are two more tools that allow you to perform web server footprinting. They areHttprecon and ID Serve.

    Httprecon

    ( ^ ' Source: http://www.computec.ch

    Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some

    research in the field of web server fingerprinting, also known as http fingerprinting. The goal is

    the highly accurate identification of given httpd implementations. This software shall improve

    the ease and efficiency of this kind of enumeration.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1643

    http://www.nytimes.com/http://www.microsdt.com/http://www.google.coml/http://www.nytimes.com/http://www.computec.ch/http://www.computec.ch/http://www.computec.ch/http://www.computec.ch/http://www.nytimes.com/http://www.google.coml/http://www.microsdt.com/http://www.nytimes.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    45/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    46/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    ID ServeG

    I n t e rne t S e r v e r I d e n t i f i c a t io n U t i li t y, v1 . 02

    P e r s o n a l S e c u r i ty F r e e w a r e b y S t e v e G i b s o n

    Copyright (c) 2003 by Gibson Research Corp.ID ServeB a c k g r o u n d S e r v e r Q u e r y | Q & A / H e l p

    Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com):

    1 www.google.com|

    When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server.

    Query The Server

    Server query processing:

    S e r v e r : g w s

    C o n t e n t - L e ng t h : 2 21

    X - X S S - P r o t e c t io n : 1; m o d e = b l o c k

    X - Fr am e - O p tio n s : S A M E O R I G I N

    C o n n e c t i o n : c l o s e

    The server identified itself as :

    |gws__________________(4

    ExitGoto ID Serve web pageCopy

    FIGURE 12.16: ID Serve

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1645

    http://www.microsoft.com/http://www.microsoft.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    47/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHWebserver Attack Methodology:

    Mirroring a Website

    Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc

    Search for comments and other items in the HTML source code to make footprinting activities more efficient

    Use tools HTTrack, WebCopier Pro, Bla ckW idow, etc. to mirror a website

    H Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrt tJE* Freferences Mirro log Window Help

    Pa*g HTMLfife

    lavedTiro.1-a.rfe-rdLeAc*ve correct !one4

    320.26*82nr2208* tf.19KB/)1

    Waic r tB !

    HrcdcdaMd.1400

    7;Men*:

    Jhttp://www. httrock. com

    13 i i, local Disk :

    &

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    48/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]HFile Preferences terror Log Window JHelp

    Parang HTML HeIn progress:

    Information

    2/14 (.13)

    14

    00

    Links scanned:

    Files written:

    Fles updated:

    Errors:

    Bytes saved: 320.26KB

    Time: 2min22s

    Transferrate: OB/s (1.19MB/s)

    Active connections: 1

    [Actions

    HelpCancelNext >;Back |

    B j j Local Disk

    0 CEH-Tools

    j H J. dell

    a i . inetpub

    B Intel

    B t MyWebSites

    g) Jj Program Files

    a J j Program Files (x86)

    & J1 Users

    a Windows

    L Q NTUSER.DAT

    a a Local Disk

    DVD RW Drive

    El , . New Volume

    FIGURE 12.17: Mirroring a Website

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1647

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    49/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

    Hacking Webservers

    CEHW e b s e r v e r A tta c k M e th o d o l o g y :

    V u l n e r a b i l i ty S c a n n in g

    J Sniff the network traffic to find out active systems,

    network services, applications, and vulnerabilities present

    J Test the web server infrastructure for any

    misconfiguration, outdated content, and known

    vulnerabilities

    Perform vulnerability scanning to identify weaknesses

    in a network and determine if the system can be exploited

    Use a vulnerability scanner such as HP Weblnspect,

    Nessus, Zaproxy, etc. to find hosts, services, and

    vulnerabilities

    Copyright by K-MICil. All Rights Reserved. Reproduction Is Strictly Prohibited.

    A tta c k M e th o d o l o g y : V u l n e r a b i li tyW e b S e r v e r

    S c a n n i n g

    Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations

    of a target web server or network. Vulnerability scanning is done with the help of various

    automated tools known as vulnerable scanners.

    Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its

    configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing

    techniques are adopted in the network traffic to find out active systems, network services,

    applications, and vulnerabilities present.

    Also, attackers test the web server infrastructure for any misconfiguration, outdated content,

    and known vulnerabilities. Various tools are used for vulnerability scanning such as HP

    Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.

    Nessus

    Source: http://www.nessus.org

    Nessus is a security scanning tools that scan the system remotely and reports if it detects the

    vulnerabilities before the attacker actually attacks and compromises them. Its five features

    includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery,

    patch management integration, and vulnerability analysis of your security posture with features

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1648

    http://www.nessus.org/http://www.nessus.org/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    50/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    that enhance usability, effectiveness, efficiency, and communication with all parts of your

    organization.

    FIGURE 12.18: Nessus Screenshot

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1649

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    51/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    CEHW e b s e r v e r A t t a c k M e t h o d o l o g y :

    S e s s io n H i j a c k i n g

    Sniff valid session IDs to gain u nauthoriz ed access to the Web Server and snoop the data

    Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture validsession cookies and IDs

    Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking

    l l Wburp suite free edition v1A01s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts

    MIME typiHTML

    J curp intruder repeater window about

    target

    ignot found items hiding CSS image and gereral ainarr content 1iS- g .l-e=pcn=e= h d ng ?mrt/folders

    ;/8nnr5s1/3

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    52/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    0- ^ 1 xburp suite free edit ion v1.4.01burp intruder repeater window about

    spider \ scanner [ intruder | repealer [ sequencer | decoder [ comparer [ options | alertstargetsite map \ scope |

    Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders

    I MIME tjHTMLlength MIME typi676status200params

    URLmethodhost

    GET 1element/ssi/ads.iframes/

    sponse request

    ]' params ' headers | hex |MT / . e le r o e n c / 3 3 i / i n c l/ b r e a k i n g _ n e v s / 3 . O / b a n n e r. h c m l ? c s iI D = c s i l

    T P / 1 . 1

    3 c : e d i c io n . c n n . c o m

    e r - A g e n c : H o z i l l a / 5 . 0 ( W in d o w s N T 6 . 2 ; W OW 64; c v : i 5 . 0 )

    c lc o / :0 1 0 0 i 0 1 F i r e f o x / 1 5 . 0 .1

    A c c ep C : c e x c / j a v M c r l p c , c e x c / h c m l , a p p l lc a C l o n / x m l , c e x c / x n il .

    * http7/economictimes indiatimes.com9 http://edition.cnn.com0.el(

    D o-2]20

    http: edition.cnn.com .elementadd item to scope

    spider this branch

    actively scan this branch

    passively scan this branch

    engagement tools [pro version only]

    compare site maps

    expand branch

    expand requested Items

    delete branch

    copy URLs In this branch

    copy links in this branch

    save selected Items

    O- CDBU

    O- D c n

    0 E L I0O eu

    * L J SH

    FIGURE 12.19: Burp Suite Screenshot

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1651

    http://edition.cnn.com/http://edition.cnn.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    53/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    54/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    _Brutus -AET2 www.hoobie.net/brutus (January 2000)F il e J o o l s H e l p

    Clearj StopStar(Type | H TT P (Bas i c Au(h) ~|

    1 0 r U se P rox y D e f ine10 Timeout r T

    T arge t |10.0 .0.17|

    Connection Options

    Po rt 180

    H TT P (Bas i c ) Opt ions

    M e t h o d [ H E A D W KeepAl i ve

    B rowse

    P a s s Mo d e f

    Browse Pass F i le

    Authentication O ptions

    U se U se rna m e I- S i ng l e U se r

    Us er File users.txt

    Posit ive Authentication Results

    PasswordUsernameTypeT argetacademicH T T P (B asic Auth) admin

    H T T P (B as i c Auth) backup

    10.0.0.17/

    10.0.0.17/

    a

    -

    Loca ted and instal led 1 authentication plug-ins

    Initialising...

    Target 10.0.0.17 verified

    Opened user file containing 6 users.

    Opened password f i le containing 818 Passwords.

    Maximum number of authentication attempts will be 4908

    Engaging ta rget 10 .0 .0 .17 w i th H TT P (Bas i c Auth)

    T r m n 1 arJrr.1

    Timeout Reje ct Auth Se q Throttle Qu ick Kil l

    FIGURE 12.20: Brutus Screenshot

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1653

    http://www.hoobie.net/brutushttp://www.hoobie.net/brutus
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    55/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    56/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    Webserver Attack Tools:Metasploit

    The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool

    that includes hundreds of working remote exploits for a variety of platforms

    It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak

    passwords via Telnet, SSH, HTTP, and SNM

    ft V ModutM Tag* Q Atporto T al i 0

    (J) metasploitjet

    wm

    Optrabng Sy*trm (Top )

    U McmolWMoM M m MKnaPnw

    Nctwoft Snv Kti (Top S)

    2tC DCIWC I I I M S K M t t )7 HETBOSS***(** n usnus(Bvv^ MUSAOPSffwctt

    Target Syitttn Statu*

    MOkom**4 I Smd I LOOM

    PTOftCt Activity (24 Noun)

    http://www.metasploit.com

    Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

    W e b S e r v e r A t t a c k T o o l s : M e t a s p l o i t

    Source: http://www.metasploit.com

    The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and

    relatively painless. It enables users to identify, assess, and exploit vulnerable web applications.

    Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised

    web server to discover an exploitable vulnerability in a database that hosts confidential

    customer data and employee information. Your team members can then leverage the data

    gained to conduct social engineering in the form of a targeted phishing campaign, opening up

    new attack vectors on the internal network, which are immediately visible to the entire team.

    Finally, you generate executive and audit reports based on the corporate template to enable

    your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or

    PCI DSS.

    Metasploit enables teams of penetration testers to coordinate orchestrated attacks against

    target systems and for team leads to manage project access on a per-user basis. In addition,

    Metasploit includes customizable reporting.

    Metasploit enables you to:

    Complete penetration test assignments faster by automating repetitive tasks and

    leveraging multi-level attacks

    Module 12 Page 1655 Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    http://www.metasploit.com/http://www.metasploit.com/http://www.metasploit.com/http://www.metasploit.com/
  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    57/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    Assess the security of web applications, network and endpoint systems, as well as email

    users

    Emulate realistic network attacks based on the leading Metasploit framework with more

    than one million unique downloads in the past year

    Test with the world's largest public database of quality assured exploits

    Tunnel any traffic through compromised targets to pivot deeper into the network

    Collaborate more effectively with team members in concerted network tests

    Customize the content and template of executive, audit, and technical reports

    (J metasploit

    Tag* O R r po r tt ~ TmJ Ql M lp n O l S*M*oW0 V Cwnpognt

    Operating Systems [Top )

    MHonNMnocm

    2 Konca P m tr 2 *0 *0 ffntwHM 1 HP ***ClOOtO

    NetworkServices (Top (

    270 DCERPC Server*

    114 SMB STOKT*

    37-NTBOSSr

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    58/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    M etasploit Architecture CE H(rtifwtf I til 1(41 NmIm

    Protocol Tools

    Mo d u l e s

    Exploits

    Payloads

    Encoders

    NOPS

    Auxi l iary

    Rex

    Framework-Core

    ^ F ramework-Base ^

    : A k "

    7KSecurity Tools

    Web Services

    Integrat ion

    Custom plug-ins

    Interfaces

    mfsconsole

    msfcl i

    ms fw e b

    ms fw x

    msfapi

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    M e t a s p l o i t A r c h i t e c t u r e

    The Metasploit framework is an open-source exploitation framework that is designed

    to provide security researchers and pen testers with a uniform model for rapid development ofexploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework

    provides the ability to reuse large chunks of code that would otherwise have to be copied or

    reimplemented on a per-exploit basis. The framework was designed to be as modular as

    possible in order to encourage the reuse of code across various projects. The framework itself

    is broken down into a few different pieces, the most low-level being the framework core. The

    framework core is responsible for implementing all of the required interfaces that allow for

    interacting with exploit modules, sessions, and plugins. It supports vulnerability research,

    exploit development, and the creation of custom security tools.

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1657

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    59/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    \

    Protocol Tools

    Modules

    Exploits

    Payloads

    Encoders

    NOPS

    Auxiliary

    LibrariesRex

    Framework-Core

    ^ Framework-Base ^

    A

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    60/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    61/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    M etasploit Payload Module

    j Payload module establ ishes a co mmu nic at ion cha nne l between the Me tas plo it f ramew or k an d t he vic tim host

    J It combines the arbitr ary code that is executed as the result of an exploit succeeding

    J To generate payloads, first select a payload using the command:

    Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

    M e t a s p l o i t P a y l o a d M o d u l e

    The Metasploit payload module offers shellcode that can perform a number of

    interesting tasks for an attacker. A payload is a piece of software that lets you control a

    computer system after its been exploited. The payload is typically attached to and delivered

    by the exploit. An exploit carries the payload in its backpack when it break into the system and

    then leaves the backpack there.

    With the help of payload, you can upload and download files from the system, take

    screenshots, and collect password hashes. You can even take over the screen, mouse, and

    keyboard to fully control the computer.

    To generate payloads, first select a payload using the command:

    m s f > u s e w i n d o w s / s h e l l _ r e v e r s e _ t c p

    m s f p a y l o a d ( 3 h e l l _ r e v e r s e _ t c p ) > g e n e r a t e -h

    U s a g e : g e n e r a t e [ o p t i o n s ]

    G e n e r a t e s a p a y l o a d .

    - b < o pt > T h e l i s t o f c h a r a c t e r s t o a v o i d : , \ x 0 0 \ x f f '

    - e < o p t> T h e n am e o f t h e e n c o d e r m o d u l e t o u s e .

    - h H e l p b a n n e r .

    - o < o p t > A co m ma s e p a r a t e d l i s t o f o p t i o n s i n

    V A R= V AL f o r m a t .

    - s < o p t> N OP s l e d l e n g t h .

    - t < o p t > T h e o u t p u t t y p e : r u b y , p e r i , c , o r r a w .

    m s f p a y l o a d ( s h e l l r e v e r s e t c p ) >

    9 S C o m m a n d P r o m p t

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1660

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    62/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    63/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    64/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    Metasploit NOPS Module CE H(rtifwt f I til 1(41 Nm Im

    NOP modules generate a no-operation instructions used for blocking o ut buffers

    Use g e n e ra te command to generate a NOP sled of an arbitrary size and display it in a given form at

    OPTIONS:

    -b < o p t> : The list of characters to avoid: '\x00\xff'

    - h : Help banner.

    - s : The comma separated list of registers to save.

    - t < o p t> : The output type: ruby, peri, c, or raw

    m s f n o p ( o p t y 2 ) >

    To generate a 50 byte NOP sled that is displayed as a

    C-style buffer, run the following command:

    Command Prompt

    m s f n o p ( o p t y 2 ) > g e n e r a t e - t c 5 0

    u n s i g n e d c h a r b u f [ ]

    " \ x f 5 \ x 3 d \ x 0 5 \ x l 5 \ x f 8 \ x 6 7 \ x b a \ x 7 d \ x 0 8 \ x d 6 \ x 6

    6 \ x 9 f \ x b 8 \ x 2 d \ x b 6 "

    M\ x 2 4 \ x b e \ x b l \ x 3 f \ x 4 3 \ x l d \ x 9 3 \ x b 2 \ x 3 7 \ x 3 5 \ x 8

    4 \ x d 5 \ x l 4 \ x 4 0 \ x b 4 "

    \ x b 3 \ x 4 1 \ x b 9 \ x 4 8 \ x 0 4 \ x 9 9 \ x 4 6 \ x a 9 \ x b 0 \ x b 7 \ x 2f \ x f d \ x 9 6 \ x 4 a \ x 9 8 "

    n \ x 9 2 \ x b 5 \ x d 4 \ x 4 f \ x 9 1 " ;

    m s f n o p ( o p ty 2 ) >

    Generates a NOP sled of a given length

    & Command Prompt

    m s f > u s e x 8 6 / o p t y 2

    m s f n o p ( o p t y 2 ) > g e n e r a t e - h

    U s a g e : g e n e r a t e [ o p t i o n s ] l e n g t h

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    M e t a s p l o i t N O P S M o d u l e

    Metasploit NOP modules are used to generate no operation instructions that can be

    used for padding out buffers. The NOP module console interface supports generating a NOPsled of an arbitrary size and displaying it in a given format.

    options:

    -b The list of characters to avoid: ?\x00\xff?

    -h Help banner.

    -s The comma separated list of registers to save.

    -t The output type: ruby, peri, c, or raw.

    Ge ner ates a NOP sled of a given length

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1663

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    65/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    To generate a 50-byte NOP sled that is displayed as a C-style buffer, run the following

    com m and :

    msf nop(opty2) > generate -t c 50

    unsigned char buf[] ="\xf5\x3d\x05\xl5\xf8\x67\xba\x7d\x08\xd6\x6

    6\x9f\xb8\x2d\xb6"

    "\x24\xbe\xbl\x3f\x43\xld\x93\xb2\x37\x35\x84\xd5\xl4\x40\xb4"

    "\xb3\x41\xb9\x48\x04\x99\x46\xa9\xb0\xb7\x2f\xfd\x96\x4a\x98"

    "\x92\xb5\xd4\x4f\x91";

    msf nop(opty2) >

    Figure 12.25: Me tasp lo i t NOPS Mod ule

    Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1664

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    66/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    Webserver Attack Tools: Wfetch I CEH

    WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and

    response data

    It allows attacker to test the performance of Web sites tha t contain new elements such as Active Server Pages (ASP) or

    wireless protocols

    wfeicfi -wtetcniFile Edit View Window Help

    f l

    Advanced Request:

    f Diabled I- fromfileVerb: [GET | host [localHost

    PathY AAuthentcation UxrtecfcOT

    l _ C 0 Jfifth. Anoryraam -d Cornsct NKp

    Qoirah. Qphcr dctajt!race

    Uer; Ckertooc.: rw * J JPogtwd: r Pc5y |60 P R eu

    Log Output [Last Status: 500 Internal Server Error;

    > started....

    O Puny: WWWConnect::Close(","8Jot*pN>

    O , **ionn dn hiddm php

    irWrfcgrncr

    0*cfc(CjomSMS

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    102/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    103/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    " ) N-Sta!ker Web Applica tion Security Scanner 2012 - Free Edition

    Scaror Sc jr Opon

    1 T!r*ad* I',*1 < I J tI 6 * * , 5

    | TfvMda Contra , Faoa PoaNa Corarai |

    Scanner Ivmtt

    JHtgh(! MmI() low ;1 Ho|t|

    mtmmk_____BytaaS * 1102121

    I 903 970

    Ag Rmoo ^m T mt K I M m iA.gT,ar*f Bjf* 9IS 84ft*

    198 00 r#Q>nan

    o Vu*eraM*

    Q hBpJv a * C*1VdIruxhrescfvcuOvacquredm*crmatonTheAttach1dPerptt abortMvputiixriyevtxriy aeittrtO *about thenetwork(tonitanct, bynnnn;1t*>!nfoinationGafrwirgitap) toautomaQcalvsdiit0idIruidi tairoUi attaJi

    fa e9J1tdioethost Itis!1EMnAlTerrvitfConfigiratonPrwlceE3

    3sf5SDOmamicLrks PrluleosEscatiIgJPfeeQSOKernelProteswPrr.-iegebsrdat

    !3S15SCkOmerLacal PrivilegeEscalation^FreeBSDmbufsasrdfileCaCvW;vrrvl-..sj

    r FUer modiies by target

    r SiswmacUvUojt U .

    Veriion 11.0.4666

    rjIWT fBMOdJw

    1 f id P fh 0 ,o F

    FIGURE 12.37: CORE Impact* Pro Screenshot

    Ethical Hacking and Countermeasures Copyright by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.

    Module 12 Page 1714

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    116/123

  • 8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf

    117/123

    Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

    CEHWeb Server Pen Testing

    Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses,

    configuration errors, protocol related vulnerabilities, etc. in a web server

    The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work

    through all of the different application vulnerabilities

    Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

    W eb Server Pen Testing

    v , v , Web server pen testing will help