ATHENA CEH v7 module 12

Unpatched security flaws in the server software, OS and applications Misconfigurations in webserver, operating systems and networks Lack of proper security policy, procedures, and main

Module 12

Engineered by Presented by Professionals

att Certified Ethical Hacker

The hackers who say they are sticking up for WikiLeaks and Julian Assange

continued to flex their digital muscles on Thursday, extending outages at Mastercard.com and Visa.com to a second day And even as the group claiming responsibility for the attacks openly discussed big new targets like Amazon, Twitter, and Facebook, Twitter took unsuccessful steps to disperse the virtual mob

Meanwhile, published reports say a 16-year-old was arrested by Dutch authorities

on Thursday in connection with the attacks The youth was arrested in The Hague;

authorities did not release his name, or say how promient a figure the suspect was

in the attacks

A loose-knit group of hackers who gather on the website 4Chan.org under the

name Anonymous spent most of the past 24 hours playing cat-and-mouse with Twitter, where the group announces its attack plans On Wednesday night, Twitter

suspended its main account Anon_Operation soon after an attack on Visa.com

was announced there At the time, the account had amassed 22,000 followers

eel mR eaten |

All Rights Reserved Reproduction is Strictly Prohibited.

IModule -< -

Open Source Webserver Architecture @ Webserver Attack Tools

IIS Webserver Architecture Countermeasures

How to Defend Against Web Server Why Web Servers are compromised?

What is Patch Management?

Patch Management Tools Web Application Attacks

Webserver Security Tools

Webserver Attack Methodology :

Webserver Pen Testing

Copyright © by

All Rights Reserved Reproduction is Strictly Prohibited

Webserver Wiarket Shares

26.03%

HS

CIEH _ Copyright © by EC-Council

Open Source Webserver Architecture

< HTTP Protocol Server is a flexible, secure

Internet Stack (HTTP.SYS) and easy-to-manage Web

(WAS) iacss ste Web Server Core Native Modules | AppDomain

Begin request processing, Anonymous Manage: ce

Ẩ authentication, authentication, ENodules

External s TA certificate mapping,

MP + MAPPING handler pre- static file, default Forms

Website

43 Web defacement occurs

when an intruder malici

b page by inserting or

substituting provocative and

frequently offending data

or misleading information

until the unauthorized

change is discovered and

eel mR eaten |

All Rights Reserved Reproduction is Strictly Prohibited.

Users visiting the web sites of Congressional representatives like Charles

Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), http://www.joewilson.house.gov/

and Brian Baird (Washington’s 3rd District) were presented with a http://bachus.house.gov/

defacement message from the Red Eye Crew http://www.baird.house.gov/

Though the actual cause of the defacement was not clear, it was http://www.gonzalez.house.gov/

observed that all the defaced sites were running on Joomla CMS http://mcnerney.house.gov/

http://mikepence.house.gov/

http://driehaus.house.gov/

http://carson.house.gov/

Me” Hướy Wodmels Tools eb — — http://doggett.house.gov/

C X By (& Mase berm howe ewinde sto £2 =) (BBs: coove 4 http://coffman.house.gov/

| Ld Most Vieted @ Getting Rarted i) Lotest Headines |) Customize Uris ) Free Hotmat ] Windows Marketplace |) Windows Media |") Windows |) Warp Boohmarlet http://www.kosmas.house.gov/

|2 ^onsekWeb Server (Free Edtion) > Start Scan + ME Abort Scan gi Settings [CỔ Advarced © Scanner status: Idle, http://lujan.house.gov/

Gaunt: đọ thốt Q - Bsedm- OO her: @ 2 TẠ CÔ GỆ - MP Ad{ Wh ravetes BD rrends tok- http://www.mccollum.house.gov/

@ Cestie - Codez- (1 C3 3- “” focns~ TẾ mmoges - @ information - 5) miscellaneous - of Outen - SS reste - J” Took - ) view Source ? Cpsxe- 2 http://teague.house.gov/

Copyright © by

À Í IENA EDU.VN

Why Web Servers are Compromised?

Unpatched security flaws in the server

software, OS and

applications

Misconfigurations

in webserver, operating

systems and networks

Lack of proper security policy, procedures, and

maintenance

Bugs in server software, OS installing the

including content management and remote administration

Default

accounts with their default

passwords

Unnecessary Improper file

default, backup, and directory

or sample files permissions

Pa ree SSL certificates a : authentication conflicts with sla at cai and encryption wigan with external business ease-

are enabled or settings default systems of-use case

accessible

Impact of Webserver Attacks

Module Flow

—"

Webserver Webserver Webserver

Concepts Threats Attack Tools

LEY ——

Counter- Patch Webserver measures Management Pen Testing

Webserver Misconfiguration

Server misconfiguration refers to configuration weaknesses in web infrastructure that

can be exploited to launch various attacks on webservers such as directory traversal,

server intrusion and data theft

Once detected, these problems can be

: ầ : Unnecessary

compromise of a website Enabled ©

Remote | 4V" Misconfigured

Administration /Default SSL Functions ©

httpd.conf file on an Apache server

<Location /server-status>

</Location>

This configuration allows anyone to view the server status page which contains

detailed information about the current use of the web server, including

information about the current hosts and requests being processed

php.ini file

display error = On

log errors = On

error log = syslog

ignore repeated errors = Off

Attacks

access restricted directories execute commands

Attackers can use trial and | | to navigate outside of root directory and access

sensitive information in the system

09/27/2010 09:36PM <DIR> Program Files © support

; + Volume Sertal Number is D4SE-9FEE

HTTP Response Splitting Attack

® HTTP response splitting attack involves adding

header response data into the input field so that

the server split the response into two responses Input = Jason

® An attacker passes malicious data to a vulnerable HTTP/1.1 200 OK

application, and the application includes the data =

@ The attacker can control the first response to

redirect user to a malicious website whereas the

other responses will be discarded by web browser

w Attacker sends request to.remove page from cache

ˆ .n.x.ns.n.s.nnsnsanksnsssnssnssnsssssssnssinnsbnns >

< clearing the cache for juggyboy.com =) Ẵ

í “ x#Wf«w#W%®&&&&&®%®&&#&®#&®&&&#®&&&&&&&W&#&&&%®&&%&®%&®%®&&&&&&®&&&%&&*&&*#é®%&& "m1

ị Attacker sends malicious request Ị

l ro) that generates two responses (4 and 6)

= KH nsŸ.nna.nnsnssnsssssssnsbonssnssnssssssssssnssnlsndssss

(CS es den nbennnỷnennnnnnnsnnmsnnnmssnssnssnssnssnnnnmsnssnlee "

! Attacker requests 4 juggyboy.com : !

again to generaté cache entry : ;

` TT an nnnsn66nnnenbhnenseownsnenspnspnesimseoesèøøu oòở

Attacker gets the second 3 = response of

<- „L€esponse o of | request 3 3 ‘@-: © : request 3 '

that points to '

attepkeds page

Address Page

Attacker's page www.juggzyboy.com

Poisoned Server Cache

|<!

http://www.juggyboy.com/wel come.php?lang=

<?php header ("Location: "

Š_GET['page']); ?>

An attacker forces the web server ˆs cache to flush its actual cache

content and sends a

specially crafted request, which will be

l

' ' '

SSeS eSB eee eeeeeee eee eee eee eee eee

Attacker gets response of

SSH Bruteforce Attack

4 SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to

transfer unencrypted data over an insecure network Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel SSH tunnels can be used to transmit malwares and other exploits to victims without being detected

Man-in-the-Middle Attack

©

uà Man-in-the-Middle (MITM) attacks alloòw an attacker to access sensitive information by

intercepting and altering communications between an end-user and webservers Attacker acts as a proxy such that all the communication between the user and webserver passes through him

.@ ©

eee x< saeeeeesesassssaasaaaaazs25555 Qe sennanaanaal : D h D

Attacker sniffs the = © oh ae CC

: Ger OTe “7

: de® „2© „«° yer ee”

Webserver Password Cracking

An attacker tries to exploit

weaknesses to hack well-chosen

passwords

The most common passwords found are password, root,

administrator, admin, demo, test,

guest, qwerty, pet names, etc

Many hacking attempts start

with cracking passwords and

proves to the webserver that

they are a valid user

Attackers use different methods

such as social engineering,

Sa Attacker target mainly for:

>» Web form authentication cracking

spoofing, phishing, using a Trojan SURGES Tanne

Horse or virus, wiretapping,

keystroke logging, etc > FIP servers

> SMITP servers

> Web shares

Copyright © by EC-! All Rights Reserved Reproduction is Strictly Prohibited

fae A common cracking A file of words is run

`@x/ method used by attackers against user accounts, and

@ to guess passwords either if the password is a simple

a by humans or by word, it can be found

a automated tools provided | pretty quickly

with dictionaries

A hybrid attack works The most time-consuming, similar to dictionary attack, but comprehensive way to but it adds numbers or | crack a password Every

symbols to the password combination of character is"

Attacks

Vulnerabilities in web applications running on a webserver provide a broad attack

path for webserver compromise

el

mm File Injection Attack

Parameter/Form Cross-Site Scripting

Tampering (XSS) Attacks

Cross-Site Request

Directory Traversal Forgery (CSRF) Attack

Denial-of-Service SQL Injection Attacks (DoS) Attack

Module Flow

Ce ~ Wy |

Webserver Webserver Attack Webserver

Concepts Threats Methodology Attack Tools

Webserver Ättack

Information Webserver Mirroring

Webserver Attack sie

Whois.R SERVICES

IMethodo logy Whois domain name lookup available domain names domain keyword search, deteted domains

WHOIS Lookup com ¥ Gol

Information Gathering (Wri mos ous

WHOIS information for ebay.com : |

6} Information gathering involves collecting information FQuevying vhois.veris4ogn~gve con]

[who1s.ver1sign-grs com]

about the targeted company

Whois Server Version 2.0

l Attackers search the Internet, newsgroups, bulletin Domain names in the com and net domains can now be regis tered

with many different competing registrars Go to http://www internic.net

boards, etc for information about the company for Gerailed InFormarson

Domain Name: EBAY.COM

MARKMONITOR INC

W Attackers use Whois, Traceroute, Active Whois , etc Si ha ER OR PES ua aii cere

i er

s Referral URL: ee //wav.markmonitor.com

tools and query the Whois databases to get the Be we -DNS1.EBAYDNS CON

Name Server: SJC-DNS EBAYDNS.COM

1 ver: SMF-DNS - EBA wae Come

details such as a domain name, an IP address, Neme Server

Name Server: SMF-DNS2.EBAYDNS.COM Status: clienrDdDeleteP Ko Đà

or an autonomous system number Status: ©ìl3enscf#Zzxoy®er?rob4wLcee

Status: ci4entDoduta?rob4b4cad

Status: serverbeleteProhibited Status: serverTransferProhibited

Status: serverUpdateProhibited Updated Date: 15-sep-2010 Creation Date: 04-aug-1995

o Webserver Attack Methodology:

O

Gather valuable system-level \

information such as account details, Explore 1,207,356 web sites visited by users of the Netcraft Toolbar 15th December 2010

operating system and other Search: search tips

software versions, server names, site contains ¥ | microsoft.com

and database schema details from example: site contains netcraft.com

footprinting techniques

Telenet a webserver to footprint a Results for microsoft.com

webserver and gather information beset omer attias

such as server name, server type,

Operating systems, applications ị Site Report Firstseen Netblock Os

running, etc rix

bu 1 www microsoft.com august 1995 microsoft corp in le

Use tool such as ID Serve, ; windows

2 support.rntcrosoft.corn october 1997 microsoft corp

httprecon, and Netcraft to perform pa a aes

footprinting 3 technet.rr august 1999 microsoft corp =

Webserver Footprinting Tools

httprecon 7.3 - http://www.nytirnes.com:80/ 5 - {Oj xj

File Configuration Fingerprinting Reporting Help

Trget (Sun ONE Web Server 6.1)

| http 4 >| |woew nytimes.com {80 7} Analyze

¬

GET esting | GET |6 long request | GE non-exésting | GE wrong pe ocol | T non-ex T ol HEAD e: ® ID Serve = ~Í={ xị

Intemet Server Identification Utility v1.02

i D Se rve Personal Security Freeware by Steve Gibson

Copyight {c} 2003 by Gibson Research Corp

Background Server Query | Q8A/ Help |

| ae Webs 61 | = 100 l (2 | Query The Server | ~ press this button to initiate a query of the specified server

Netscepe Ertespeme Serve: 6.0 63 84 14 l Microsoft IIS 6.0 68 $2.92 (2 Servet query processing

Sun Javea System Web Server 6.1 66 $0.48 3 The server returned the following response headers ~Í

Sun Java System Web Server 7.0 65 73.26 HTTP/1.1 200 O}

pache 2.0.46 63 76.82 Server ApplelDiskServer.1G301! -

Webserver Attack Methodology:

Mirroring a Website

@ Mirror a website to create a complete profile of the site’s directory structure, files structure, external links etc

@ Search for comments and other items in the HTML source code to make footprinting activities more efficient

@ Use tools HTTrack, Web Copier, BlackWidow, etc to mirror a website

x Site mirroring in progress (8/17 [+ 7), 3441306 bytes! SLE |

rh Meer log Window help

a Loca Det cl 2

+ ) bft2!ce3)e0c9244402a "p>ợts PwszgHTML tile + Corba

*4 xi St!#Q% Lái k>^

Bytes cavet 1, O68 Unks scanned &

- Tiree 10s te: wittn 1

ay Theerther soem 11 71K£/› (251 Bs tei upsated 0

* (tea Actve cowectom J foo

Webserver Attack Methodology:

Vulnerability Scanning

4 Perform vulnerability scanning to

identify weaknesses in a network

and determine if the system can be

exploited

J Use a vulnerability scanner such as

HP WebInspect, Nessus, Paros proxy

etc to find hosts, services, and

vulnerabilities

J Sniff the network traffic to find out

active systems, network services,

applications, and vulnerabilities

present

4) Test the web server infrastructure

for any misconfiguration, outdated

content, and known vulnerabilities

Webserver Attack Methodology:

session Hijacking

burp suste professiona

burp imiruder repeats

to the target | proxy

) Server and snoop the Be

Filter: hiding not found items, hiding CSS, image and general binary conter

-& add item to scope

o (5) empio remove item trom scope

~) fileexct

- #1 looán spider this Dranch

= a) fogin me i

- Cụ news actively scan this branch

~ 5) prets pas Sively scan this branct

- C1 searcr engagement tools > irs

"and re ectod " b ee > wi naat > Wir ` WN

> SF nitps: ww expand requested items t Mozilla/5.0 (VWindovs; U; Vindows N

Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11- Session Hijacking

lê EH a enn Pais h6

All Rights Reserved Reproduction is Strictly Prohibited

Webserver Attack Methodology:

Hacking Web Passwords

® Use password cracking

techniques such as brute

force attack, dictionary

attack, password guessing to

crack web server passwords

® Use tools such as Brutus,

Webserver

Concepts

Las

Counter- measures

Copyright © by EC-Council

All Rights Reserved Reproduction is Strictly Prohibited

Webserver Attack Tools: Vietasploit

© The Metasploit Framework is a penetration testing toolkit, exploit development platform, and

research tool that includes hundreds of working remote exploits for a variety of platforms

It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM

Metasploit Architecture

aN Ree

^

Web Services

Integration

Copyright © by

All Rights Reserved Reproduction is Strictly Prohibited

Metasploit

It is the basic module in Metasploit used to enca| ‘e ane - using which users target many platforms with single exploit

This module comes with si

Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits

Steps to exploiting a system using the Metasploit Framework