CEH v8 labs module 12 Hacking webservers

1 - l״ L»J | httprecon uses nine different requests, which are sent to the target web Content-Type: text/html Data: Thu, 18 Oct 2012 11:35:20 GMT Connection: close rely on simple bann

Hacking Web Servers

Module 12

Hacking Web Servers

A web server, which can be referred to as the hard ware, the comp.liter, or the software,

is the computer application that helps to deliver content that can be accessed through the Internet.

T o d a y , m o s t o f o n lin e services are im p le m e n te d as w e b ap p lic a tio n s O n lin e

b an k in g , w e b se a rc h en g in es, em ail a p p lic a tio n s, a n d social n e tw o rk s are just a few e x a m p le s o f su c h w e b services W e b c o n te n t is g e n e ra te d 111 real tim e by a

so ftw a re a p p lic a tio n ru n n in g at serv er-sid e So h a c k e rs a tta c k 011 th e w e b se rv e r

to steal c re d e n tia l in fo rm a tio n , p a s sw o rd s, a n d b u sin e ss in f o rm a tio n by D o S (D D o s) attac k s, S Y N flo o d , p in g flo o d , p o r t scan , sn iffin g attac k s, a n d social

e n g in e e rin g attack s 111 th e area o f w e b security, d e sp ite s tro n g e n c ry p tio n 011

th e b ro w s e r-s e rv e r c h a n n e l, w e b u se rs still h a v e 110 a s su ra n c e a b o u t w h a t

h a p p e n s a t th e o th e r en d W e p re s e n t a se cu rity a p p lic a tio n th a t a u g m e n ts w e b

se rv e rs w ith tru s te d c o -se rv e rs c o m p o s e d o f h ig li-a ssu ra n c e secu re

c o p ro c e s s o rs , c o n fig u re d w ith a p u b lic ly k n o w n g u a rd ia n p ro g ra m W e b u se rs

ca n th e n esta b lish th e ir a u th e n tic a te d , e n c ry p te d c h a n n e ls w ith a tru s te d c o - serv er, w h ic h th e n c a n ac t as a tru s te d th ird p a rty 111 th e b ro w s e r-s e rv e r

in te ra c tio n S ystem s are c o n s ta n tly b e in g a tta c k e d , a n d I T se cu rity p ro fe ssio n a ls

n e e d to b e aw are o f c o m m o n a ttac k s 011 th e w e b se rv e r ap p lic a tio n s A tta c k e rs

u se sn iffe rs o r p ro to c o l an aly zers to c a p tu re a n d analyze p ac k ets I f d ata is se n t

ac ro ss a n e tw o r k 111 clear te x t, an a tta c k e r c a n c a p tu re th e d ata p a c k e ts a n d use a

sn iffe r to re a d th e d ata 111 o th e r w o rd s , a sn iffe r c a n e a v e s d ro p 011 ele c tro n ic

c o n v e rsa tio n s A p o p u la r sn iffe r is W ire sh a rk , I t ’s also u s e d b y a d m in istra to rs

fo r le g itim ate p u rp o s e s O n e o f th e ch a lle n g es fo r a n a tta c k e r is to g am access

to th e n e tw o rk to c a p tu re th e data If a ttac k ers h a v e p h y sic al access to a r o u te r 01־ sw itch , th e y c a n c o n n e c t th e sn iffer a n d c a p m re all traffic g o in g th ro u g h th e system S tro n g p h y sic al se cu rity m e a su re s h e lp m itig ate tin s risk

A s a p e n e tr a tio n te s te r a n d eth ica l h a c k e r o f a n o rg a n iz a tio n , y o u m u s t p ro v id e

se cu rity to th e c o m p a n y ’s w e b serv er Y o u m u s t p e rf o rm ch e c k s 011 th e w e b

se rv e r fo r M ilner abilities, m is c o n fig u ra tio n s , u n p a tc h e d se cu rity flaw s, a n d

im p ro p e r a u th e n tic a tio n w ith e x te rn a l system s

■ A w eb b ro w ser w ith In te rn e t access

■ A dm inistrative privileges to 11111 tools

Lab Duration

Tim e: 40 M inutes

Overview of Web Servers

A w e b server, w h ic h can be referred to as die hardw are, th e co m p u ter, o r die softw are, is th e c o m p u te r ap plication d ia t helps to deliver c o n te n t th a t can be accessed th ro u g h th e In tern et M o st p eo p le d u n k a w eb server is just th e hardw are

co m p u ter, b u t a w eb server is also th e softw are c o m p u te r application th a t is installed

111 th e hardw are co m p u ter T lie prim ary fu n ctio n o f a w eb server is to deliver w eb pages o n the req u est to clients using th e H y p erte x t T ra n sfer P ro to c o l (H T T P ) T ins

m eans delivery o f H T M L d o c u m e n ts an d any additional c o n te n t th a t m ay be included by a d o cu m en t, such as im ages, style sheets, an d scripts M an y generic w eb servers also su p p o rt server-side sc n p tin g using A ctive S erver Pages (ASP), P H P , o r

o d ie r sc n p tin g languages T in s m ean s th a t th e behavior o f th e w e b server can be scripted 111 separate files, w lule th e acm al server softw are rem ains u nchanged W e b servers are n o t always u se d for serving th e W o rld W ide W’eb T h ey can also be

fo u n d em b e d d e d 111 devices su ch as prin ters, ro u ters, w eb cam s an d serving only alocal netw ork T lie w e b server m ay d ie n be u se d as a p a rt o f a system fo r

m o n ito rin g a n d / o r adm inistering th e device 111 question T ins usually m eans d ia t n o additional softw are has to be m stalled o n th e client co m p u ter, since only a w eb

b ro w ser is required

Lab Tasks

R e c o m m en d e d labs to d em o n strate w e b server hacknig:

■ F o o tp rin tin g a w e b server usnig th e httprecon tool

■ F o o tp m itn ig a w e b server using th e ID Serve tool

■ E xp lo itin g Java vulnerabilities u snig M etasploit Framework

Lab Analysis

A nalyze a n d d o c u m e n t th e results related to die lab exercise G ive yo u r o p in io n 011

y o u r targ et’s security p o stu re an d exposure

PLE AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D TO T H I S LAB

E th ica l H a c k in g a n d C o u n term easu res Copyright © by EC-Comicil

C E H L ab M an u al P ag e 733

Footprinting Webserver Using the httprecon Tool

The httprecon project undertakes research in thefield of web server fingerprinting, also known as http fingerprinting

Lab Scenario

W e b a p p lic a tio n s are th e m o s t im p o r ta n t w ays to r a n o rg a n iz a tio n to p u b lis h

in fo rm a tio n , in te ra c t w ith I n te r n e t u se rs, a n d esta b lish a n e - c o m m e r c e /e -

g o v e r n m e n t p re se n c e H o w e v e r, i f a n o rg a n iz a tio n is n o t rig o ro u s in

c o n fig u rin g a n d o p e ra tin g its p u b lic w e b site , it m a y b e v u ln e ra b le to a v a rie ty o f

se cu rity th re a ts A lth o u g h th e th re a ts 111 c y b e rsp ac e re m a in largely th e sa m e as

111 th e p h y sical w o rld (e.g., fra u d , th e ft, v a n d a lis m , a n d te rro rism ), th e y are far

m o re d a n g e ro u s as a result O rg a n iz a tio n s ca n fac e m o n e ta ry lo sses, d a m a g e to

re p u ta tio n , 01־ legal a c tio n i f an in tr u d e r su ccessfu lly v io la te s th e c o n fid e n tia lity

o f th e ir d ata D o S atta c k s are easy fo r a tta c k e rs to a tte m p t b ec a u se o f th e

n u m b e r o t p o ssib le a tta c k v e c to rs , th e v a rie ty o f a u to m a te d to o ls available, a n d

th e lo w skill level n e e d e d to u se th e to o ls D o S attac k s, as w ell as th re a ts o f

in itia tin g D o S attac k s, are also in c re asin g ly b e in g u se d to b lack m ail

o rg a n iz a tio n s 111 o rd e r to b e an e x p e rt eth ica l h a c k e r a n d p e n e tra tio n te ste r, }׳o il m u s t u n d e r s ta n d h o w to p e r f o rm f o o tp rin tin g 011 w e b servers

T o c a rry o u t th e lab, y o u need:

■ httprecon to o l lo c a te d at D:\CEH-T 0 0 ls\CEHv 8 Module 12 Hacking

W ebservers\W ebserver Footprinting T ools\httprecon

■ Y o u ca n also d o w n lo a d d ie la te s t v e rs io n o f httprecon f ro m th e link

h ttp re c o n is a to o l fo r adv an ced w eb server fingerprinting, sim ilar to httprint T h e

h ttp re c o n p ro jec t does research 111 th e held o f w eb server fingerprinting, also

k n o w n as http fingerprinting T h e goal is lughlv accurate identification o f given

httpd im plem entations

Lab Tasks

1 N a v ig a te to D:\CEH-Tools\CEHv8 Module 12 Hacking

W ebservers\W ebserver Footprinting T ools\httprecon.

2 D o u b le -c lic k h ttp rec o n ex e to la u n c h httprecon.

3 T h e m a in w in d o w o f h ttp r e c o n a p p e a rs, as s h o w n 111 th e fo llo w in g figure

Full Matchlist | Fingerprint Details | Report Preview |

| Name j Hits 1 Match % 1

£G1 Httprecon is distributed

as a ZIP file containing the

binary and fingerprint

databases.

FIGU RE 1.1: httprecon main window

4 E n te r th e w e b site (UR L) w w w juggyboy.com th a t y o u w a n t to

footprint a n d select th e port number.

5 C lick Analyze to s ta rt an aly zin g th e e n te re d w e b site

6 Y o u sh o u ld rec eiv e a f o o tp rin t o f th e e n te re d w eb site

ETag: "a47ee9091a0cdl:7a49"

Server: Microsoft-IIS/6.0 K-Powered-By: ASP.NET

Matchlst (352 Implementations) | Fingerprint Details | Report Preview |

| Name I Hits | Match % |

tewl Httprecon vises a simple

database per test case that

contains all die fingerprint

elements to determine die

given implementation.

FIG U R E 1.2: Tlie footprint result o f the entered website

7 Click die GET long req u est tab, w h ich will list d o w n die G E T request

T h e n click d ie Fingerprint Details.

1 - l״ L»J |

httprecon uses nine

different requests, which

are sent to the target web

Content-Type: text/html Data: Thu, 18 Oct 2012 11:35:20 GMT Connection: close

rely on simple banner

announcements by the

analyzed software.

FIGU RE 1.3: The fingerprint and G E T long request result o f the entered website

E tliical H a c k in g a n d C o u n te n n ea su re s Copyright © by EC-Council

C E H L ab M an u al P ag e 736

Lab Analysis

A nalyze a n d d o c u m e n t d ie results related to th e lab exercise G ive yo u r o p in io n 011

y o u r targ et’s secuntv p o stu re an d exposure

PLE AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

to o l fo r a d v a n c e d w e b se rv e r fin g e rp rin tin g , sim ilar to h ttp rin t.

I t is v e ry im p o r ta n t fo r p e n e tr a tio n te ste rs to b e fam iliar w ith b a n n e r-g ra b b in g

te c h n iq u e s to m o n ito r se rv e rs to e n s u re c o m p lia n c e a n d a p p ro p ria te security

u p d a te s U sin g this te c h n iq u e y o u ca n also lo c a te ro g u e se rv e rs 01־ d e te rm in e th e

ro le o f se rv e rs w ith in a n e tw o rk 111 tin s lab y o u w ill le a rn th e b a n n e r g ra b b in g

te c h n iq u e to d e te rm in e a re m o te ta rg e t sy stem u sin g I D Serve 111 o rd e r to b e a n

e x p e rt eth ica l h a c k e r a n d p e n e tra tio n te ste r, v o u m u s t u n d e r s ta n d h o w to

T o ca rry o u t th e lab, y o u need:

■ ID Serve lo c a te d a t D:\CEH-T 0 0 ls\CEHv 8 Module 12 Hacking

W ebservers\W ebserver Footprinting Tools\ID S erve

■ Y o u ca n also d o w n lo a d th e la te s t v e rs io n o f ID S erve f ro m th e lin k

■ R u n d iis to o l o n W indows Server 20 1 2 as h o s t m a c h in e

d irection lo o k u p (D om an i-to -IP ) h av e a reverse (IP -to -D o m ain ) lo o k u p , b u t m any do

Enter or copy I paste an Internet server URL a IP address here (example: www.microsoft.com):

W hen an Internet URL or IP has been provided above.

™ press this button to initiate a query of the specified seiver Query The Server

Server query processing:

The server identified itself a s :

Goto ID Serve web page Copy |

FIG U R E 2.1: Welcome screen o f ID Serve

6 C lick Query th e Server to s ta rt q u e ry in g th e e n te r e d w eb site.

7 A fte r th e c o m p le tio n o f th e query I D S erve displays th e resu lts o f th e

e n te r e d w e b site as s h o w n 111 th e fo llo w in g figure

ID Serve

In te rn e t S e r v e r Id e n tific a tio n U tility v 1 02

P e r s o n a l S e c u r ity F r e e w a r e b y S te v e G ib s o n Copyright (c) 2003 by Gibson Research Corp.

ID Serve

Background £ e tver Query | Q & A /H e lp

Enter or copy / paste an Internet server URL or IP address here (example: www miciosoft.com):

Ih ttp / / I 0 0 0 2 /r e a lh o m e |

C1

W hen an Internet URL a IP has been provided above, press this button to initiate a query of the specified server Query The Server

Server query processing:

r2 [

HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Tue, 07 Aug 2012 06:05:46 GMT Accept-Ranges: bytes

ETaq: "c95dc4af6274cd1:0"

The server identified itself a s :

Goto ID Serve web page

server and port.

1y=H ID Serve can almost

always identify the make,

model, and version o f any

web site's server software.

FIG U R E 2.2: ID Serve detecting die footprint

Lab Analysis

D o c u m e n t all die server in form ation

PLE AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

1 Analyze how ID Se1־ve determines a site’s web server.

2 What happens if we enter an IP address instead of a URL׳׳

Internet Connection Required

□ Yes Platform Supported

of the system for any potential vulnerabilities that could result from poor or improper system configuration, either known and unknown hardware 01־ software flaws, 01־ operational weaknesses 111 process or technical countermeasures Tins analysis is earned out from the position of a potential attacker and can involve active exploitation of security vulnerabilities The Metasploit Project is a computer secuntv project that provides information about security vulnerabilities and aids 111 penetration testing and IDS signamre development Its most well-known sub- project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine Other important sub- projects include die Opcode Database, shellcode arcluve, and security research Metasploit Framework is one of the main tools for every penetration test engagement To be an expert etliical hacker and penetration tester, you must have sound understanding of ]Metasploit Framework, its various modules, exploits, payloads, and commands 111 order to perform a pen test of a target.

■ Metasploit located at D:\CEH-Tools\CEHv8 Module 12 Hacking WebserversYWebserver Attack Tools\Metasploit

■ You can also download the latest version ot Metasploit Framework from die link h ttp ://www.111etasplo1t.com/download/

■ It you decide to download the latest version, then screenshots shown 111 the lab might ditter

■ A computer running Windows Server 2012 as host macliine

■ Windows 8 running on virtual macliine as target macliine

■ A web browser and Microsoft NET Framework 2.0 or later in both host and target macliine

■ j RE 7116 miming on the target macliine (remove any other version of jRE installed 111 die target 111acl1111e).T11e |R E 7116 setup file (jre-7u6-wi11dows- 1586.exe) is available at D:\CEH-Tools\CEHv8 Module 12 Hacking

h ttp ://www.oracle.com/technetwork/iava/javase/downloads/ire7- downloads-163~5S8.html

■ Double-click m etasploit-latest-w indow s-installer.exe and follow the wizard-driven installation steps to install Metasploit Framework

ClassFmder and MediodFinder.fmdMediod() Both were newly introduced 111 JDK

7 ClassFmder is a replacement tor classForName back 111 JDK 6 It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SuiiToolkit (a restricted package) With sun.awt.SimToolkit, we can actually invoke getFieldQ by abusing fmdMethod() 111 Statement.mvokelnternalO (but getFieldQ must be public, and that's not always die case 111 JDK 6 111 order to access Statementacc's private field, modify

2 After installation completes, it will automatically open in your default web

W ebservers\Webserver Attack Tools\Metasploit

■ You can also download the The I RE 7116 setup tile at

Time: 20 Minutes

Overview of the Lab

Tins lab demonstrates the exploit that takes advantage of two issues 111 JDK 7: the

1 Install Metasploit on the host macliine Windows Server 2012.

browser as shown 111 the following figure.

3 Click I Understand the Risks to continue.

H ie exploit takes advantage

FIGURE 3.1: Metasploit Untrusted connection in web browser

4 Click Add Exception.

It allows untrusted code to

obtain a reference and have

This Connection is Untrusted

You have aikeJ זיזי/סג to connect 1«cu1«l> 10 190. t jt *1 c•וי t confirmthat you•

connection i׳> s*c 01«.

Normally, wihrn you tty to eonnert tee urrty titei wM pnwK truftrd י Sentil*Men re prove that you

art going to the light plac« I lw r t , tlm t!t« 1 itfrMj « י U «l

What Should I Do?

If you usually conned to this git wrthoi/t p׳obk-׳ns, th׳-, moi to•Ji mun that someone n trying to irrtpertonate the ate, and you shouldn't eenrmite.

You have asked Firefox to connect secure*)׳ to locaBrosU 790 t-jt we cant confirm that youc Normally, ■*hen you try to connect securely, sites «1:,־ present trusted identification tc prove that you are going to the nght place Ho»>ever this site's ■der&ty can t be verrfsed.

What Should 1 Do?

If you usually connect to this site without problem^ flvs t0״» ec>d mun that someone is trying to

impersonate the site, and you shouldn't continue.

[ Gel me oulofhete!

Technical Details

| 1 Understand the Risks |

E th ica l H a c k in g a n d C o u n term easu res Copyright © by EC-Council

C E H L ab M an u al P ag e 744