H a c k in g W e b s e r v e rs

Module 12
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Hacking Webservers
Module 12...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

GoDaddy Outage Takes Down Mi...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

AnonymousOwn3r‫׳‬s bio reads...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Module Objectives

CEH

Urt1...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Module Flow

CEH

Copyright ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Market Shares
I __...
Ethical Hacking and Countermeasures
Hacking Webservers

Apache

Exam 312-50 Certified Ethical Hacker

t

‫כ‬

64.6%

17.4%...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

CEH

Open Source W ebserver
...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Site Users

Site Admin

‫־׳‬...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

IIS Web Server Architecture
...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Client
HTTP Protocol
Stack (...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Website Defacement
J

Web de...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

BO ®

World Wide Web
File

E...
Ethical Hacking and Countermeasures
Hacking Webservers

Unnecessary default, backup, or
sample files
Security conflicts wi...
Ethical Hacking and Countermeasures
Hacking Webservers

6

Exam 312-50 Certified Ethical Hacker

End User's Concern: Usual...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Impact of Webserver Attacks
...
Ethical Hacking and Countermeasures
Hacking Webservers

0

Exam 312-50 Certified Ethical Hacker

Root access to other appl...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M odule Flow

CEH

Copyright...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Server Misconfiguration
...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Server Misconfiguration
...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

3

Volume in drive C has no ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

CEH

HTTP R esponse Splittin...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Input = Jason
HTTP/1.1 200 O...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Cache Poisoning Attack C...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Addm 
www.Im^YLuy.cum

GET h...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

+

Copyright © by EG-GtUIICi...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

FIGURE 12.10: HTTP Response ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

SSH B r u te f o rc e A tta ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Man-in-the‫־‬Middle Attack

...
Ethical Hacking and Countermeasures
Hacking Webservers

n
U

Exam 312-50 Certified Ethical Hacker

Normal Traffic

User vi...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W ebserver P assw ord C rack...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W ebserver Password C rackin...
Ethical Hacking and Countermeasures
Hacking Webservers

Q

Exam 312-50 Certified Ethical Hacker

Hybrid Attack: A hybrid a...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Web Application Attacks
J

!...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Command Injection Attacks
Co...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M odule Flow

CEH

Copyright...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

-

W ebserver Attack M ethod...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Vulnerability scanning is a ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Methodology...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Source: http://www.whois.net...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Methodology...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

r iE T C K A F T
Se a rch W ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Footprinting Tools...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

httprecon 7.3 - http://www.n...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

G

ID Serve

ID Serve

I n t...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Methodology...
Ethical Hacking and Countermeasures
Hacking Webservers

H

Exam 312-50 Certified Ethical Hacker

Site mirroring in progres...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W e b s e rv e r A tta c k M...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

that enhance usability, effe...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W e b s e r v e r A tta c k ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

0- ^ 1 ‫־‬

burp suite free ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W e b s e r v e r A tta c k ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Brutus - AET2 ‫ ־‬www.hoobie...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M o d u le F low

C EH

Copy...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Tools:
Meta...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

© Assess the security of web...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M etasploit A rchitecture

C...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Libraries

‫ץ‬

A
Rex
Custom...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M etasploit Exploit M odule
...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

M etasploit Payload M odule
...
Ethical Hacking and Countermeasures
Hacking Webservers

;

Exam 312-50 Certified Ethical Hacker

C om m and P ro m p t
msf...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Metasploit Auxiliary Module
...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Metasploit NOPS Module

C EH...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

To g e n e r a te a 5 0-byte...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

Webserver Attack Tools: Wfet...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

w fetch ‫ ־‬W fe tc h l
£1
l...
Ethical Hacking and Countermeasures
Hacking Webservers

W e b

Exam 312-50 Certified Ethical Hacker

P a s s w o r d C r a...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

©

Highly customizable authe...
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Ce hv8 module 12 hacking webservers
Upcoming SlideShare
Loading in...5
×

Ce hv8 module 12 hacking webservers

928

Published on

Published in: Technology, News & Politics
2 Comments
1 Like
Statistics
Notes
  • download here link 100% working: https://app.box.com/s/olzwnk240vfm2ir8yfdw
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • free download link 100% work: http://goo.gl/tPTIDM
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
928
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
291
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Ce hv8 module 12 hacking webservers

  1. 1. H a c k in g W e b s e r v e rs Module 12
  2. 2. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Hacking Webservers Module 12 En g in e e red by Hackers. Pre se n te d by Professio nals. E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v8 M odule 12: Hacking Webservers Exam 312-50 Module 12 Page 1601 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claim s Responsibility Monday, September 10th, 2012 Final update: GoDaddy is up, and claims th a t the outage was due to internal errors and not a DD0S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Tw itter account the company is aware o f the issue and is working to resolve it. Update: customers are com plaining tha t GoDaddy hosted e-mail accounts are down as well, along w ith GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A m em ber o f Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipste r tells us tha t the technical reason fo r the failure is being caused by the inaccessibility o f GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve. http://techcrunch.com Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited. GGacl S ecurity N ew s Nnus GoD addy O utage T akes Down M illions of Sites, Anonym ous M em ber C laim s R esponsibility Source: http://techcrunch.com Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0 S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account, the company is aware of the issue and is working to resolve it. Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of GoDaddy's DNS servers - specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve. Module 12 Page 1602 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker AnonymousOwn3r‫׳‬s bio reads "Security leader of #Anonymous (‫ ”׳‬Official m em ber")." The individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was targeted. Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the service, and the company has been the center of a few other controversies. However, AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did this attack." Copyright © 2012 AOL Inc. By Klint Finley http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/ Module 12 Page 1603 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Module Objectives CEH Urt1fW4 J IIS Webserver Architecture J Countermeasures J W hy W eb Servers are Compromised? J J Impact of Webserver Attacks How to Defend Against Web Server Attacks J Webserver Attacks J Patch Management J Webserver Attack Methodology J Patch Management Tools J Webserver Attack Tools J Webserver Security Tools J Metasploit Architecture J Webserver Pen Testing Tools J Web Password Cracking Tools J ttlMUl ttMhM Webserver Pen Testing ‫ ־־‬L / ^ Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited. ^ M odule O b jectiv e s •—* > Often, a breach in security causes more damage in terms of goodwill than in actual quantifiable loss. This makes web server security critical to the normal functioning of an organization. Most organizations consider their web presence to be an extension of themselves. This module attempts to highlight the various security concerns in the context of webservers. After finishing this module, you will able to understand a web server and its architecture, how the attacker hacks it, what the different types attacks that attacker can carry out on the web servers are, tools used in web server hacking, etc. Exploring web server security is a vast domain and to delve into the finer details of the discussion is beyond the scope of this module. This module makes you familiarize with: e IIS Web Server Architecture e e W hy W eb Servers Are Compromised? e e Webserver Attacks e Webserver Attack Methodology Q Webserver Attack Tools e Metasploit Architecture e Web Password Cracking Tools Module 12 Page 1604 How to Defend Against W eb Server Attacks Impact of Webserver Attacks e Countermeasures e Patch Management 0 Patch Management Tools e W ebserver Security Tools e W ebserver Pen Testing Tools e W ebserver Pen Testing Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Module Flow CEH Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F lo w To understand hacking web servers, first you should know what a web server is, how it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts. 4 m) Webserver Attacks Webserver Concepts ------ Attack Methodology * Webserver Pen Testing y Patch Management Webserver Attack Tools Webserver Security Tools ■— ■— Counter-measures This section gives you brief overview of the web server and its architecture. It will also explain common reasons or mistakes made that encourage attackers to hack a web server and become successful in that. This section also describes the impact of attacks on the web server. Module 12 Page 1605 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Market Shares I ______ I ______ I _______I_______ I _______I _ _ _ _ 64.6% Apache Microsoft - IIS LiteSpeed I 1.7% Google Server | 1.2% W eb S e rv e r M a rk e t S h a re s Source: http://w3techs.com The following statistics shows the percentages of websites using various web servers. From the statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that Microsoft ‫ ־‬IIS server is used by 17.4 % of users. Module 12 Page 1606 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Hacking Webservers Apache Exam 312-50 Certified Ethical Hacker t ‫כ‬ 64.6% 17.4% Microsoft ‫ ־‬IIS 13% Nginx LiteSpeed Google Server Tomcat Lighttpd 10 20 30 40 50 60 70 ‫־‬J -----► 80% FIGURE 12.1: Web Server Market Shares Module 12 Page 1607 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker CEH Open Source W ebserver Architecture Site Users Site Admin Attacks r :1 a 1 I □ © Linux 1 File System ^ ......... I— *‫—־‬ I Apache Email ‫י ג יני מ‬ PHP Applications ‫י‬ Compiled Extension MySQL i f Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. B O p e n S o u rc e W e b S e rv e r A rc h ite c tu re The diagram bellow illustrates the basic components of open source web server architecture. Module 12 Page 1608 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Site Users Site Admin ‫־׳‬ *A & Attacks 1 U Internet Linux File System J "‫־‬ Apache V Email PHP f Applications Compiled Extension MySQL y FIGURE 12.2: Open Source Web Server Architecture Where, © Linux - the server's operating system © Apache - the web server component © MySQL - a relational database © PHP - the application layer Module 12 Page 1609 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker IIS Web Server Architecture Internet Information Services (IIS) for Windows Client i * a C H IE HTTP Protocol Stack (HTTP.SYS) f t p Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web Kernel Mode User Mode Svchost.exe :■ + Windows Activation Service _________ (WAS)__________ Application Pool Web Server Core Native Modules AppDomain Begin request processing, authentication, authorization, cache resolution, handler mapping, handler preexecution, release state, update cache, update log, and end request processing Anonymous authentication, managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging Managed Modules WWW Service External Apps application Host.config Forms Authentication Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. IIS W e b S e r v e r A r c h i t e c t u r e ‫3׳‬ c3 by ----- ---------------------------------IIS, also known as Internet Information Service, is a web server application developed Microsoft that can be used with Microsoft Windows. This is the second largest web after Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The diagram that follows illustrates the basic components of IIS web server architecture: Module 12 Page 1610 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Client HTTP Protocol Stack (HTTP.SYSI In ternet Kernel M o d e User Mode Svchost.exe A pplication Pool W in d o w s A ctiva tio n S e rv ice (W A S ) N ative M od ules W e b S erver Core AppD om ain Anonymous authentication, Managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging Managed M odules WWW Service Begin requestprocessing/ authentication, authorization, cache resolution, handler mapping, handler pre* execution, release state, application Host.config update cache, update log, and end request processing Forms A uthentication FIGURE 12.3: IIS Web Server Architecture Module 12 Page 1611 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Website Defacement J Web defacement occurs when an intruder maliciously alters Fie M l‫ז‬ * fe w * CEH Hep W © http://juggyboy.com/index.aspx v ‫^ ד‬ •j_> ‫־‬ visual appearance of a web page by inserting or substituting provocative and frequently offending data J Y o u a re O W N E D ! ! ! ! ! ! ! Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected H A C K E D ! Hi M aster, Your w e b s ite o w n e d by US, H acker! N ext ta rg et - m icrosoft.com Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W ebsite D e facem en t Website defacement is a process of changing the content of a website or web page by hackers. Hackers break into the web servers and will alter the hosted website by creating something new. W eb defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data. Defaced pages expose visitors to propaganda or misleading information until the unauthorized change is discovered and corrected. Module 12 Page 1612 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker BO ® World Wide Web File Edit View Help , ‫יי‬ FIGURE 12.4: Website Defacement Module 12 Page 1613 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Hacking Webservers Unnecessary default, backup, or sample files Security conflicts with business ease-ofuse case Misconfigurations in web server, operating systems, and networks Lack of proper security policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external systems Administrative or debugging functions that are enabled or accessible Exam 312-50 Certified Ethical Hacker Installing the server with default settings Improper file and directory permissions Default accounts with their default or no passwords Security flaws in the server software, OS and applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W h y W e b S e r v e r s A re C o m p r o m i s e d There are inherent security risks associated with web servers, the local area networks that host web sites and users who access these websites using browsers. 0 W ebm aster's Concern: From a webmaster's perspective, the biggest security concern is that the web server can expose the local area network (LAN) or the corporate intranet to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Software bugs present in large complex programs are often considered the source of imminent security lapses. However, web servers that are large complex devices and also come with these inherent risks. In addition, the open architecture of the web servers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes. Q Network Administrator's Concern: From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. W hile the objective of a web is to provide controlled access to the network, too much of control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the web server, so that the legitimate users are recognized and authenticated, and various groups of users assigned distinct access privileges. Module 12 Page 1614 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures Hacking Webservers 6 Exam 312-50 Certified Ethical Hacker End User's Concern: Usually, the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. Besides, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network. The table that follows shows the causes and consequences of web server compromises: Cause Consequence Installing the server with default settings Unnecessary default, backup, or sample files Improper file and directory permissions Security conflicts with business ease-of-use case Default accounts with their default passwords Unpatched security flaws in the server software, OS, and applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration Misconfigurations in web server, operating systems and networks Lack of proper security policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external systems Administrative or debugging functions that are enabled or accessible TABBLE 12.1: causes and consequences of web server compromises Module 12 Page 1615 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Impact of Webserver Attacks CEH C«rt1fW 4 itfciul Nm Im © Data ta m p e rin g W e b s ite d e fa c e m e n t R o o t access to o th e r a p p licatio n s o r servers Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. I m p a c t o f W e b S e r v e r A tt a c k s Attackers can cause various kinds of damage to an organization by attacking a web server. The damage includes: 0 Compromise of user accounts: W eb server attacks are mostly concentrated on user account compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the web server. 0 Data tampering: Attacker can alter or delete the data. He or she can even replace the data with malware so that whoever connects to the web server also becomes compromised. 0 W ebsite defacement: Hackers completely change the outlook of the website by replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own. 0 Secondary attacks from the website: Once the attacker compromises a web server, he or she can use the server to launch further attacks on various websites or client systems. 0 Data theft: Data is one of the main assets of the company. Attackers can get access to sensitive data of the company like source code of a particular program. Module 12 Page 1616 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Hacking Webservers 0 Exam 312-50 Certified Ethical Hacker Root access to other applications or server: Root access is the highest privilege one gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the source. Module 12 Page 1617 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M odule Flow CEH Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F lo w Considering that you became familiar with the web server concepts, we move forward to the possible attacks on web server. Each and every action on online is performed with the help of web server. Hence, it is considered as the critical source of an organization. This is the same reason for which attackers are targeting web server. There are many attack technique used by the attacker to compromise web server. Now we will discuss about those attack techniques. attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking, web application attacks, etc. Webserver Concepts ^ Attack Methodology Webserver Pen Testing -y Module Webserver Attacks Patch Management 12 Page 1618 ^ J Webserver Attack Tools 3 Webserver Security Tools ■— ■— Counter-measures Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Server Misconfiguration CEH Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft Verbose debug/error Remote Administration Functions Unnecessary Services Enabled Anonymous or Default Users/Passwords Sample Configuration, and Script Files Misconfigured/Default SSL Certificates Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited. GGlni. W eb S e rv e r M is c o n fig u ra tio n W eb servers have various vulnerabilities related to configuration, applications, files, scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the network of a company. These loopholes of the server can help attackers to bypass user authentication. Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft. Once detected, these problems can be easily exploited and result in the total compromise of a website. e Remote administration functions can be a source for breaking down the server for the attacker. © Some unnecessary services enabled are also vulnerable to hacking. 0 Misconfigured/default SSL certificates. © Verbose debug/error messages. Q Anonymous or default users/passwords. © Sample configuration and script files. Module 12 Page 1619 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Server Misconfiguration Example CEH httpd.conf file on an Apache server <Location /server-status> SetHandler server-status </Location> This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed php.ini file display_error = On log_errors = On error_log = syslog ignore repeated errors = Off This configuration gives verbose error messages Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. f I W e b S e rv e r M is c o n fig u ra tio n E x a m p le ran n■ L 1 :J Consider the httpd.conf file on an Apache server. <Location /server-status> SetHandler server-status </Location> FIGURE 12.5: httpd.conf file on an Apache server This configuration allows anyone to view the server status page that contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. Consider another example, the php.ini file. display_error = On log_errors - On error_log = syslog ignore repeated errors = Off FIGURE 12.6: php.inifile on an Apache server This configuration gives verbose error messages. Module 12 Page 1620 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker 3 Volume in drive C has no label. Volume Serial Number is D45E-9FEE j My Computer + 1 3Vb floppy (A:) £ / I ‫ י‬LocalDt>k(( B Ctocumcnte and Scttngs ! H t J Inetpub http://server.eom/s cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c: Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. D i r e c t o r y T r a v e r s a l A t ta c k s W eb servers are designed in such a way that the public access is limited to some extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system. Volume in drive C has no label. Volume Serial Number is D45E-9FEE Directory of C: http://server.eom/s cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c: 1,024 .rnd 06/02/2010 11:31AM 09/28/2010 06:43 PM 0 123.text 05/21/2010 03:10 PM 0 AUTOEXEC.BAT 09/27/2010 08:54 PM <DIR> CATALINA_HOME 0 CONFIG.SYS 05/21/2010 03:10 PM Documents and Settings 08/11/2010 09:16 AM <DIR> 09/25/2010 05:25 PM <DIR> Downloads 08/07/2010 03:38 PM <DIR> Intel 09/27/2010 09:36 PM <DIR> Program Files 05/26/2010 02:36 AM <DIR> Snort 09/28/2010 09:50 AM <DIR> WINDOWS 09/25/2010 02:03 PM 569,344 WlnDump.exe 7 File(s) 570, 368 bytes 13 Dir( s) 13,432 ,115,200 bytes free F IG U R E Module 12 Page 1621 E Q-j !v!v!Tffxl company 1 ‫ ו‬downloads E O imgs ae O news scripts □ C J support 1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker CEH HTTP R esponse Splitting Attack (•ttlfw tf HTTP response splitting attack involves adding header response data into the input field so that the server split the response into two responses itkNjI N hM M Input = Jason HTTP/1.1 200 OK Set-Cookie: author=Jason The attacker can control the first response to redirect user to a malicious website whereas the other responses will be discarded by web browser Input = JasonTheHackerrnHTTP/l.l 200 OKrn y String author = request.getParameter(AUTHOR_PA RAM ; ) Cookie cookie = new Cookie("author‫ , ״‬author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie); First Response (Controlled by Attacker) Set-Cookle: author=JasonTheHacker HTTP/1.1200 OK Second Response HTTP/1.1 200 OK Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. H T T P R e s p o n s e S p l itt i n g A tta c k An HTTP response attack is a web-based attack where a server is tricked by injecting new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS)‫ ׳‬Cross Site Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks. The attacker alters a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. This is accomplished by adding header response data into the input field. An attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the other responses will be discarded by web browser. Module 12 Page 1622 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Input = Jason HTTP/1.1 200 OK Set-Cookie: author=Jason Input =JasonTheHackerrnHTTP/l.l 200 OKrn First Response (Controlled by Attacker) o String author = request.getParameter(AUTHOR_PA RA ) ; M S i Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie); 0 5 <) / Set-Cookie; author=JasonTheHacker HTTP/1.1 200 OK S e c o n d R e sp o n se HTTP/1.1200 OK FIGURE 12.8: HTTP Response Splitting Attack Module 12 Page 1623 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Cache Poisoning Attack CEH Original Juggyboy page GET http://juggyboy.com/index.html HTTP/1.1 Pragma: no-cache Host: juggyboy.com Accept-Charset: iso-8859-1,*,utf-8 GET http://juggyboy.com/ redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2 02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200 9%2014:50:18%20GMT*0d%0aConte ntLength :%2020%0d%0aContcnt• Typ«:%20text/htmr%0d%0a%0d%0a<html > Attack Pagc</html> HTTP/1.1 Host: Juggyboy.com GET http://juggyboy.com/index.html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Charset: iso-8859-l,*,utf8‫־‬ Attacker sends request to remove page from cache h ttp ://w w w .ju g g y b o y .c o m /w el com e.php?lang= Normal response after clearing the cache for juggyboy.com <?php h e a d e r ("L ocation:" . $_GET['page']); ?> Attacker sends malicious request that generates two responses (4 and 6) Attacker gets first server response An attacker forces the A ttacker re q u e s ts d juggyboy.com again to g e n e ra te ca ch e e n try The second response of request [3 that points to I attacker's page Attacker gets the second web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache Address Page www.jujjyboy.com Attacker's page Poisoned Server Cache Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited. GGlni. W e b C a c h e P o i s o n i n g A tta c k W eb cache poisoning is an attack that is carried out in contrast to the reliability of an intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned content instead of true and secured content when demanding the required URL through the web cache. An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. In the following diagram, the whole process of web cache poisoning is explained in detail with a step-by-step procedure. Module 12 Page 1624 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Addm www.Im^YLuy.cum GET http://juggyboy.com/indeM.html HTTP/1.1 Pragm a: no-cache H ost: juggyboy.com A ccept-C harset: iso-8859-1,T,utf-8 GET http://juggyboy.com/ r«dir.php?site=%Od%OaContentL*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2 02009(2OOKHOdKOaLastModified :%20Mon,%202 7%200ct%20200 9*2014:50:18K20GMT%0d%0aContentLength: 020%0d%0aContentTyp«:%20text/html%0d%0a%0d%08<htm! *Attack Page</html> HTTP/1.1 Ofigln.il Juggyboy page Server Cache I A ttac k er s e n d s re q u e s t t o re m o v e page from cache http://www.juggyboy.com/wel come.php?lang= Norm al re s p o n s e a f te r clearing th e cache forjuggyboy.com <?php header ("Location:" . $_GET['page']); ?> A ttac k er s e n d s m alicious re q u e s t th a t g e n e ra te s tw o re s p o n s e s (4 and 6) 2 Host: juggyboy.com GET h ttp ://ju g g y b o y .c o m /in d e x .h tm l HTTP/1.1 Host: te s ts ite .c o m U ser-A gent: M ozilla/4.7 [en] (W lnNT; I) Accept-Charset iso-8859-l,‫,״‬utf-8 A ttac k er g e ts first se rv e r re s p o n s e Attacker re q u e sts a ju g g Y b o y.co m again to generate cache entry Attack!e r g e ts t h e second _> 1 ; __ . ‫׳‬W re q u e s t o f o n s e ^ ..... ......■ > The ind res! .ponse of ‫ י‬requ th a t p o in t! to :k e f's page Address www.JuKjjytiyy.to1n 1 ‘igr AtU ckvr'vp^v Poisoned Server Cache FIGURE 12.9: Web Cache Poisoning Attack Module 12 Page 1625 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker + Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited. HTTP R esp o n se H ijack in g HTTP response hijacking is accomplished with a response splitting request. In this attack, initially the attacker sends a response splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. On receiving the response from web server, the victim requests for service by giving credentials. At the same time, the attacker requests the index page. Then the web server sends the response of the victim's request to the attacker and the victim remains uninformed. The diagram that follows shows the step-by-step procedure of an HTTP response hijacking attack: Module 12 Page 1626 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker FIGURE 12.10: HTTP Response Hijacking Module 12 Page 1627 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker SSH B r u te f o rc e A tta c k CEH C«rt1fW 4 1^1 itfciul lUclw( SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel q SSH tunnels can be used to transmit malwares and other exploits to victims without being detected I Mail Server Internet User SSH Server Web Server Application Server File Server Attacker Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. SSH B r u te F o r c e A tt a c k SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH, first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other exploits to victims without being detected. I Mail Server Attacker FIGURE 12.11: SSH Brute Force Attack Module 12 Page 1628 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Man-in-the‫־‬Middle Attack CEH J Man-in-the-Middle (M ITM ) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and webservers J Attacker acts as a proxy such that all the communication between the user and Webserver passes through him Normal Traffic p o* • O • - W ebserver a Attacker Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M a n ‫־‬i n ‫־‬t h e ‫־‬M i d d l e A tta c k A man-in-the-middle attack is a method where an intruder intercepts or modifies the message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user such as online banking details, user names, passwords, etc. transferred over the Internet to the web server. The attacker lures the victim to connect to the web server through by pretending to be a proxy. If the victim believes and agrees to the attacker's request, then all the communication between the user and the web server passes through the attacker. Thus, the attacker can steal sensitive user information. Module 12 Page 1629 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Hacking Webservers n U Exam 312-50 Certified Ethical Hacker Normal Traffic User visits a website >•‫״‬ User ^‫־‬ & © . * * * .. '''• ^ 9 0 * Attacker sniffs the communication to ; stealI session IDs (f t v s © e ..* < ‫* • .־‬ e ^ ,., w .• ,‫5יי‬ ‫־‬ ''.•‫־‬ A• • ‘‘ Attacker FIGURE 12.12: Man-in-the-Middle Attack Module 12 Page 1630 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W ebserver P assw ord C rack in g C EH An attacker tries to exploit weaknesses to hack well-chosen passwords **** Many hacking attempts start The most common passwords with cracking passwords and found are password, root, administrator, admin, demo, test, proves to the Webserver that they are a valid user guest, qwerty, pet names, etc. Attackers use different methods such as social engineering, Web form authentication cracking spoofing, phishing, using a Trojan SSH Tunnels Horse or virus, wiretapping, FTP servers keystroke logging, etc. SMTP servers Web shares Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited. GGacl W eb S e rv e r P a s s w o rd C ra c k in g ----- Most hacking starts with password cracking only. Once the password is cracked, the hacker can log in in to the network as an authorized person. Most of the common passwords found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc. Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to crack passwords. Attackers mainly target: © W eb form authentication cracking © SSH tunnels 0 FTP servers © SMTP servers © W eb shares Module 12 Page 1631 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W ebserver Password C racking Techniques EH Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc. I Passwords can be cracked by using following techniques: 4 Hybrid Attack A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited. GCacl W eb S erver P assw o rd C ra c k in g T e c h n iq u e s ■gd© ® ‫_ ( 77 ) רדד׳‬ Passwords may be cracked manually or with automated tools such as Cain & Abel, Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password: © Guessing: A common cracking method used by attackers is to guess passwords either by humans or by automated tools provided with dictionaries. Most people tend to use heir pets' names, loved ones' names, license plate numbers, dates of birth, or other weak pass words such as "QW ERTY," "password," "admin," etc. so that they can remember them easily. The same thing allows the attacker to crack passwords by guessing. © Dictionary Attack: A dictionary attack is a method that has predefined words of various combinations, but this might also not be possible to be effective if the password consists of special characters and symbols, but compared to a brute force attack this is less time consuming. © Brute Force Attack: In the brute force method, all possible characters are tested, for example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But this type of method is useful to identify one-word or two-word passwords. Whereas if a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password, which is practically impossible. Module 12 Page 1632 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Hacking Webservers Q Exam 312-50 Certified Ethical Hacker Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also consists of symbols and numbers. Password cracking becomes easier with this method. Module 12 Page 1633 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Web Application Attacks J ! CEH C«rt1fW 4 itfciul Nm Im Vulnerabilities in web applications running on a Webserver provide a broad attack path for Webserver compromise , If enia'0 f.s T eCt°rv C°okie rO Site ss. rge, A t, '° n 4 ■ cks Olv ft, a ‫׳‬erf/, s ‫' ׳‬ring »Pe, Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b A p p l i c a t i o n A tt a c k s SL Vulnerabilities in web applications running on a web server provide a broad attack path for web server compromise. Directory Traversal Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Parameter/Form Tampering This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Cookie Tampering Cookie tampering is the method of poisoning or tampering with the cookie of the client. The phases where most of the attacks are done are when sending a cookie from the client side to the server. Persistent and non-persistent cookies can be modified by using different tools. Module 12 Page 1634 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Command Injection Attacks Command injection is an attacking method in which a hacker alters the content of the m web page by using html code and by identifying the form fields that lack valid constraints. Buffer Overflow Attacks I Most web applications are designed to sustain some amount of data. If that amount is exceeded, the application may crash or may exhibit some other vulnerable behavior. The attacker uses this advantage and floods the applications with too much data, which in turn causes a buffer overflow attack. Cross-Site Scripting (XSS) Attacks jr Cross-site scripting is a method where an attacker injects HTML tags or scripts into a target website. Denial-of-Service (DoS) Attack M A denial-of-service attack is a form of attack method intended to terminate the operations of a website or a server and make it unavailable to access for intended users. Unvalidated Input and File injection Attacks Unvalidated input and file injection attacks refer to the attacks carried by supplying an unvalidated input or by injecting files into a web application. Cross-Site Request Forgery (CSRF) Attack The user's web browser is requested by a malicious web page to send requests to a malicious website where various vulnerable actions are performed, which are not intended by the user. This kind of attack is dangerous in the case of financial websites. SQL Injection Attacks SQL injection is a code injection technique that uses the security vulnerability of a database for attacks. The attacker injects malicious code into the strings that are later on passed on to SQL Server for execution. Session Hijacking 1131 Session hijacking is an attack where the attacker exploits, steals, predicts, and negotiates the real valid web session control mechanism to access the authenticated parts of a web application. Module 12 Page 1635 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M odule Flow CEH Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F lo w _ So far we have discussed web server concepts and various techniques used by the attacker to hack web server. Attackers usually hack a web server by following a procedural method. Now we will discuss the attack methodology used by attackers to compromise web servers. Webserver Concepts Webserver Attacks Attack Methodology 1 Webserver Attack Tools Webserver Pen Testing y Patch Management i ) ■— ■— Webserver Security Tools Counter-measures This section provides insight into the attack methodology and tools that help at various stages of hacking. Module 12 Page 1636 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker - W ebserver Attack M ethodology Information Gathering C EH W ebserver Footprinting Vulnerability Scanning H a ck in g W e b se rve r Passw ords Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r A tta c k M e t h o d o l o g y Hacking a web server is accomplished in various stages. At each stage the attacker tries to gather more information about loopholes and tries to gain unauthorized access to the web server. The stages of web server attack methodology include: Inform ation G athering 0 Every attacker tries to collect as much information as possible about the target web server. Once the information is gathered, he or she then analyzes the gathered information in order to find the security lapses in the current mechanism of the web server. ( W eb Server Footprinting The purpose of footprinting is to gather more information about security aspects of a web server with the help of tools or footprinting techniques. The main purpose is to know about its remote access capabilities, its ports and services, and the aspects of its security. M irroring W ebsite W 4 J) Website mirroring is a method of copying a website and its content onto another server for offline browsing. V ulnerability Scanning Module 12 Page 1637 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a web server. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. Session H ijacking Session hijacking is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking. H acking Web Server Passw ords Attackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc. and crack web server passwords. Module 12 Page 1638 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Methodology: Information Gathering Information gathering involves collecting information about the targeted company CEH WHOis.net Y3ur Domain Starting Place... Attackers search the Internet, newsgroups, bulletin boards, etc. UZ3 for information about the company Attackers use Whois, Traceroute, Active Whois, etc. tools and query the Whois databases to get the details such as a domain WHOIS information for ebay.com:*** [Querying who1s.vens1gn-grs.com] [whols.verislgn-grs.com] Who»s Server Vereon 2.0 Domain names in the .com and .net domains can now be reoistered with rrorv diftoront competing raaistrars. Go to http;///ww .intom <x«t for detailed information. Domain Name: EBAY.COM Registrar: MARKM0N1T0R INC. Whois Server: whois.maricwiitjor.com Reterral URL: http://www.marXmonicor.com Name Server: yC-ONSl.CDAYDNS.COM name, an IP address, or an autonomous system number N 0ooS DS.bADS O 3 Sr f JCN BYN M m v: 2 .C Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance N3m« sorvor: SMF UNSl.fcBAYDNS.COM Name Server: SMF-DNSi.fcBAYDNS.COM Status: dleotDeletcPiohlblted Status: clieritTrmsf«Pral1ibit*d Status: dienWpdnt*Prohibit*d Status: s e rv e d eteProhibited Status: server TransterProh 1 itod b Status: sorvorUDdateProhibital updated Date: 15-Sep-2010 Creation Date: 04-aug-l995 Expiration Date: 03-aug-2018 h :/ w ww o .n t ttp / w . h is e Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. » W eb S e rv e r $ , G a th e rin g __ A t ta c k M e th o d o l o g y : In fo rm a tio n Every attacker before hacking first collects all the required information such as versions and technologies being used by the web server, etc. Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company. Most of the attackers' time is spent in the phase of information gathering only. That's why information gathering is both an art as well as a science. There are many tools that can be used for information gathering or to get details such as a domain name, an IP address, or an autonomous system number. The tools include: e e Traceroute e Active Whois e Nmap 0 Angry IP Scanner e # Whois Netcat W hois Module 12 Page 1639 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Source: http://www.whois.net Whois allows you to perform a domain whois search and a whois IP lookup and search the whois database for relevant information on domain registration and availability. This can help provide insight into a domain's history and additional information. It can be used for performing a search to see who owns a domain name, how many pages from a site are listed with Google, or even search the Whois address listings for a website's owner. W H O is .n e t Y o u r D o m a in S t a r t i n g P l a c e . . . WHOIS information for ebay.com:*** [Querying whois.verisign-grs.com] [whois.verisign-grs.com] Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: EBAY.COM Registrar: MARKMONITOR INC. Whois Server: whois.markmonitDr.com Referral URL: http://www.markmonitor.com Name Server: SJC-DNS1.EBAYDNS.COM Name Server: SJC-DNS2.EBAYDNS.COM Name Server: SMF-DNS1.EBAYDNS.COM Name Server: SMF-DNS2.EBAYDNS.COM Status: dientDeleteProhibited Status: dientTransferProhibited Status: dientUpdateProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 15-sep2010‫־‬ Creation Date: 04-aug-1995 Expiration Date: 03-aug2018‫־‬ « F IG U R E 1 2 .1 3 : W H O I S In f o r m a t io n G a t h e r in g Module 12 Page 1640 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Methodology: Webserver Footprinting J Telnet a Webserver to footprint a Webserver and gather information such as server name, server type, operating systems, applications running, etc. J ilhiul lUthM Gather valuable system-level information such as account details, operating system, software versions, server names, and database schema details J C EH Urt1fw4 Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r A tta c k M e th o d o l o g y : W e b s e r v e r F o o tp rin tin g The purpose of footprinting is to gather account details, operating system and other software versions, server names, and database schema details and as much information as possible about security aspects of a target web server or network. The main purpose is to know about its remote access capabilities, open ports and services, and the security mechanisms implemented. Telnet a web server to footprint a web server and gather information such as server name, server type, operating systems, applications running, etc. Examples of tools used for performing footprinting include ID Serve, httprecon, Netcraft, etc. N etcraft Source: http://toolbar.netcraft.com Netcraft is a tool used to determine the OSes in use by the target organization. It has already been discussed in detail in the Footprinting and Reconnaissance module. Module 12 Page 1641 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker r iE T C K A F T Se a rch W e b by Domain Explore 1,045.745 web sites visited by users of the Netcraft Toolbar 3rd August 2012 S e a rc h : search tips j site contains j«‫ ׳‬microsoft ^ lookup! e x a m p le : s it e c o n t a in s .n e tc r a ft.c o m Results for microsoft Found 252 sites Site Site Report First seen 1. w w w .m icro s o ft.co m 2. s u p p o r t.m ic r o s o ft.c o m 3. te c h n e t.m ic r o s o ft .c o m 4. w in d ov< s.m icrosoft.co m 5. m s d n .m ic r o s o ft .c o m 6. o ffic e .m ic r o s o ft.c o m 7. s o c ia l.t e c h n e t .m ic ro s o ft .c o m 8. a n s w e r s .m ic r o s o ft.c o m 9. v 4 w w .u p d a te.m icro s o ft.c o m 10. s o c ia l.m s d n .m ic r o s o ft .c o m a m m 0 a £1 a £1 a 0 Netblock OS citrix n e t s c a le r a u g u s t 1995 m ic ro s o ft corp o c to b e r 1997 m ic ro s o ft corp unknow n a u g u s t 1999 m ic ro s o ft corp citrix n e t s c a le r ju n e 1998 m ic ro s o ft corp S e p t e m b e r 1998 m ic ro s o ft corp window s s e r v e r 2 0 0 8 citrix n e t s c a le r n o v e m b e r 1998 m ic ro s o ft corp unknow n a u g u st 2008 m ic ro s o ft corp citrix n e t s c a le r au g u st 2009 m ic ro s o ft lim ite d window s s e r v e r 2 0 0 8 m a y 2007 m ic ro s o ft corp window s s e r v e r 2 0 0 8 a u g u st 2008 m ic ro s o ft corp citrix n e t s c a le r citrix n e t s c a le r 11. g o .m ic r o s o ft.c o m a n o v e m b e r 2001 m s h o tm a il 12. w in d o w s u p d a te .m ic r o s o ft.co m a a a m fe b u a r y 1 9 9 9 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 8 fe b u a r y 2 0 0 5 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 8 13. u p d a t e .m ic r o s o ft.c o m 14. w w w .m ic ro s o fttra n s la to r.c o m 15. s e a r c h .m ic r o s o ft .c o m n o v e m b e r 2008 a k a m a i te c h n o lo g ie s lin u x ja n u a r y 1997 a k a m a i in t e r n a t io n a l b .v lin u x 16. w w .m ic r o s o fts t o r e .c o m a n o v e m b e r 2008 d ig ita l riv e r ir e la n d ltd. f5 b ig ‫ ־‬ip 17. lo g in .m ic r o s o fto n lin e .c o m £1 IB d ecem b er 2010 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 3 o c to b e r 2 0 0 5 m ic ro s o ft corp w in d ow s s e r v e r 2 0 0 8 18. w e r.m ic r o s o ft.c o m F IG U R E 1 2 .1 4 : W e b s e r v e r F o o t p r in t in g Module 12 Page 1642 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Footprinting Tools httprecon 7.3 - http://www.nytimes.com:80/ File C o n fig u ra tio n F in g e rp rin tin g R ep crtin g CEH I—I° H elp Ta*get (Sun ONE W eb Server 6.1) | h t b :/ / ^ | www.nytimes.com : 180 0 H TTP/1.1 2 0 O 0 K D ace: Thu, 1 Oct 2 1 09:34:37 G T 1 02 M expires: Thu, 0 D 1 9 16:00:00 G T 1 ec 9 4 M carhe-control: no-cache pragm no-cache a: Sec-Cookie: ALT_ID 007f010021bb479dd5aa00SS; Expires = 09:34:37 G T Path= D ain‫. ־‬nytim M; /; om e3.com ; Sec-cookie: adxcs= path=/; do!rain=.nytim ca -; es. m Matehfct (352 Implementations) | Fingerprint Details | Report Preview | a Oracle Application Server 10g 10.1.2.2.0 7.0 Sun Java System W eb Server • ID S e r v e Background ' C 2 Errte* 0* copy Copyright (c) 2003 by Gibson Research Corp. Serv2r Query I paste an Internet | Q8A/Help 1111 SSm | server UR_ or IP address here (example: www.microsdt.com): |www.google.coml Quety The S ever w ^ W hen an Internet URL ‫ זה‬IP has been provided above, piess this button to initiate a query of the specified server. S w vei query pcocessng (3 Abyss V Internet Server Identifica.ion Utility, v l .02 Personal Security Freeware by Stev Gibson Steve Name •S V V ‫י ^־‬ ID Serve GET existing j GET lo n g e q u e s tj GET non-ex sting] GET wrong p rotocol) 2.5.0.0 X1 Apache 2.0.52 Apache 2.2.6 ru— 1 n c n______________________ — Server gws Content-Length: 221 X‫־‬X S S ‫־‬Protectior: 1 mode-block ; X‫־‬Frome‫־‬Options: SAMEORIGIN Connection: close F ■ Ready The seivei identified Ise* a s : http://www.computec.ch (4 Goto ID Serve web page http://www. grc.com Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r F o o t p r i n t i n g T o o ls W e have already discussed about the Netcraft tool. In addition to the Netcraft tool, there are two more tools that allow you to perform web server footprinting. They are Httprecon and ID Serve. H ttprecon ( ^ ' Source: http://www.computec.ch Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This software shall improve the ease and efficiency of this kind of enumeration. Module 12 Page 1643 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker httprecon 7.3 - http://www.nytimes.com:80/ F ile C o n fig u r a tio n F in g e r p r in t in g R e p o r t in g — ‫ם‬ H e lp T a r g e t ( S u n O N E W e b S e r v e r G .1 ) http:/‫/׳‬ ▼I G E T e x is tin g A n a ly z e 80 |w w w . n y t im e s . c o m | G E T lo n g r e q u e s t | G E T n o n - e x istin g G E T w r o n g p r o t o c o l | H E A D e x is tin g | O P T I O N S c o m m o n HTTP/1.1 200 O K Date: Thu, 11 Oct 2012 09:34:37 G T M Server: Apache expires: Thu, 01 Dec 1994 16:00:00 G T M cache-control: no-cache pragma: no-cache Set-Cookie: ALT_ID=007f010021bb479ddSaa005S; Expires=Fri, 11 Oct 2013 09:34:37 GM Path=/; Domain=.nytimes.com T; ; Set-cookie: adxca=-; path=/; domain=.nytimes.com Vary: Host M a t c h lis t ( 3 5 2 Im p le m e n ta t io n s ) | F in g e r p rin t D e t a ils | R e p o r t P r e v i e w N am e M I H its M a tch % O r a c l e A p p lic a t io n S e r v e r 1 0 g 1 0 .1 .2 .2 .0 58 H22 S u n J a v a S y s t e m W e b S e r v e r 7 .0 57 8 0 .2 8 1 6 3 0 1 4 0 8 4 5 1 # A b y s s 2 .5 .0 .0 X 1 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 A p a c h e 2 .0 .5 2 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 A p a c h e 2 .2 .6 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 EC /‫׳‬ 8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4 0 7 0 000,1 70‫ ־‬OCC1 □7 V ‫׳‬ n c n Ready. FIGURE 12.15: Httprecon Screenshot ID Serve Source: http://www.grc.com ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the make, model, and version of any website's server software. This information is usually sent in the preamble of replies to web queries, but it is not shown to the user. ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. Simply by entering any IP address, ID Serve will attempt to determine the associated domain name. Module 12 Page 1644 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker G ID Serve ID Serve I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .02 B a ck g ro u n d | S e rv e r Q u e ry P e r s o n a l S e c u r it y F r e e w a r e b y S t e v e G ib s o n Copyright (c) 2003 by Gibson Research Corp. Q & A / H e lp Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com): 1 w ww.google.com | Query The Server When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server. ^ Server query processing: S e rv e r: gw s C o n t e n t - L e n g t h : 221 X - X S S - P r o t e c t i o n : 1; m o d e = b l o c k X - F r a m e - O p tio n s : S A M E O R I G I N C o n n e c tio n : c lo s e (4 Copy The server identified itself as : |gws__________________ Goto ID Serve web page Exit FIGURE 12.16: ID Serve Module 12 Page 1645 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Methodology: Mirroring a Website CEH Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc Search for comments and other items in the HTML source code to make footprinting activities more efficient Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website H Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrttJ E*€ Freferences Mirro 13 ii, local Disk <( log Window Help Pa‫׳*־‬g HTM fife L w m r til . MyWebSlte* ‫ש‬ ProgramRes )It) *. ProgramFits WKi i 111 lh«s til , t Windows i NTUSSR.DAT 1 1• •* >local Disk *D : «; M D RW Drivt ‫<&י‬ VD :N«wVolum» < F1 320.26*8 laved 2nr22» Tiro. 08* tf.19KB/») -a.rfe-rdLe Ac*ve correct !one4 1 1 W a ic rtB ! 0 0 14 HrcdcdaMd. 7 ;Men*: Ji M « J□ h :/ w wh c .c m ttp / w . ttro k o Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited. GGlni. W e b S e r v e r A tta c k M e th o d o l o g y : M i r r o r i n g a W e b s it e — Website mirroring is a method of copying a website and its content onto another server. By mirroring a website, a complete profile of the site's directory structure, file structure, external links, etc. is created. Once the mirror website is created, search for comments and other items in the HTML source code to make footprinting activities more efficient. Various tools used for web server mirroring include HTTrack, W ebripper 2.0, W inW SD , Webcopier, and Blackwidow. C Source: http://www.httrack.com HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. Module 12 Page 1646 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Hacking Webservers H Exam 312-50 Certified Ethical Hacker Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt] File Preferences terror B j j Local Disk <C:> 0 CEH-Tools j H J . dell a i. B B t g) ••Jj a ‫׳‬j J inetpub Intel MyWebSites Program Files Program Files (x86) & J 1 Users a Windows L Q NTUSER.DAT Log Window JHelp In progress: Parang HTML He Information Bytes saved: 320.26KB Time: 2min22s Transferrate: OB/s (1.19MB/s) Active connections: 1 Links scanned: Files written: Fles updated: Errors: 2/14 (.13) 14 0 0 [Actions a a Local Disk <D:> DVD RW Drive <E:> El , . New Volume <F:> ;B ack | Next > Cancel Help FIGURE 12.17: Mirroring a Website Module 12 Page 1647 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W e b s e rv e r A tta c k M e th o d o lo g y : V u ln e ra b ility S c a n n in g CEH Perform vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited J Sniff the network traffic to find out active systems, netw ork services, applications, and vulnerabilities present Use a vulnerability scanner such as HP Weblnspect, Nessus, Zaproxy, etc. to find hosts, services, and vulnerabilities J Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities Copyright © by K-€M ICil. All Rights Reserved. Reproduction Is Strictly Prohibited. W eb S e rv e r S c a n n in g A tta c k M e th o d o lo g y : V u ln e ra b ility Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations of a target web server or network. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing techniques are adopted in the network traffic to find out active systems, network services, applications, and vulnerabilities present. Also, attackers test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Various tools are used for vulnerability scanning such as HP Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities. N essus Source: http://www.nessus.org Nessus is a security scanning tools that scan the system remotely and reports if it detects the vulnerabilities before the attacker actually attacks and compromises them. Its five features includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features Module 12 Page 1648 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker that enhance usability, effectiveness, efficiency, and communication with all parts of your organization. FIGURE 1 2 .1 8 : N essus S c re e n s h o t Module 12 Page 1649 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W e b s e r v e r A tta c k M e th o d o lo g y : C EH S e s s io n H ija c k in g Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking l‫ ־‬l ° W burp suite free edition v1A01 J curp intruder repeater target window about s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts ig not found items hiding CSS image and gereral ainarr content 1iS-g .l«-e=pcn=e= h d ng ?mrt/folders http:A conom dime 5 indiatime s o le i host h«p/«*d*orc 0 9 0 hltpVJedition cnn m °‫ •ם־‬Irr* - -— w"1 - iVedifion c http ;‫׳ ״‬ MIME typi HTML‫־‬ /»8n«nr5s1/3<ls1»3mcs; add item to 9cope cpiaortnis branch arfrvely scan this branch passively scan this branch engagement took [pro version onlf] compare site maps eipand branch 5: ‫ר0נפ‬ oxpana rcquoctca noms delete branch copy URL# in this blanch copy iioks in tnis oranch save selected items reaueat ‫ |~־¥י‬params headers [ hex | T / . • L«»«nc.'* 1 1 / m r 1 ‫ ׳‬brea*r1ng_n*v•/3 . 0 /banner. ntral ?c m h d » c * 11 T P / 1 .1 8c: e d it io n .c n n .co » ec-Affe&t: K c s illd / S .O 1 Vind0¥3 I1T 6 .2 ; W0V61; c v : J S .0 l cko/:0100101 F ir e f o x / 15.0.1 I Accept: tr x t/ j« v o 3 c c ip c , t e x t/ h tn L , «pp Li.Cflt.ion/1 te xrol, tex t/x m l, I : ‫| ]׳ ־‬ | 0 matches http ://p o rtsw ig g er. n et Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking Copyright © by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b 1 1 S e r v e r A t t a c k M e t h o d o lo g y : S e s s io n H ija c k in g Session hijacking is possible once the current session of the client is identified. Complete control of the user session can be taken over by the attacker once the user establishes authentication with the server. W ith the help of sequence number prediction tools, attackers perform session hijacking. The attacker, after identifying the open session, predicts the sequence number of the next packet and then sends the data packets before the legitimate user sends the response with the correct sequence number. Thus, an attacker performs session hijacking. In addition to this technique, you can also use other session hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to capture valid session cookies and IDs. Various tools used for session hijacking include Burp Suite, Hamster, Firesheep, etc. Burp Suite ___Source: http://portswigger.net Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder tool, repeater tool, sequencer tool, etc. Module 12 Page 1650 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker 0- ^ 1 ‫־‬ burp suite free edition v1.4.01 x burp intruder repeater window about target spider scanner [ intruder | repealer [‫ ־‬sequencer | decoder [ comparer [ options | alerts site map scope | Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders *‫ ־‬http7/economictimes indiatimes.com 9 http://edition.cnn.com 0□ ‫. ־‬el( D‫׳‬ o 2]20 - host method GET □ URL params status 20 0 1element/ssi/ads.iframes/ length I MIME tj typi 676 HTM L □ http: ‫׳‬edition.cnn.com .element add item to scope spider this branch actively scan this branch O CDBU O D cn 0‫ □ ־‬E L I 0 O eu ‫־‬ passively scan this branch engagement tools [pro version only] ► compare site maps expand branch sponse expand requested Items M‫']־‬ delete branch T request params ■headers | hex | ' / . e le r o e n c / 3 3 i/ in c l/ b r e a k in g _ n e v s / 3 . O / b a n n e r. h c m l? c s iID = c s il copy URLs In this branch copy links in this branch * ‫ ־‬L J SH T P / 1 .1 3c: save selected Items c lc o / :0 1 0 0 i0 1 e d ic io n .c n n .c o m e r- A g e n c: A ccep C : H o z illa / 5 .0 ( W in d o w s NT 6 .2 ; W O W 64; c v :i5 .0 ) F i r e f o x / 1 5 .0 .1 c e x c / ja v M c r lp c , c e x c / h c m l, a p p llc a C lo n / x m l, c e x c / x n il. FIGURE 1 2 .1 9 : B u rp S u ite S c re e n s h o t Module 12 Page 1651 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W e b s e r v e r A tta c k M e th o d o lo g y : H a c k in g W e b P a s s w o r d s Brutus - AET2 - www.hoobie.net/brutus - (January 2000) Use password cracking techniques such as brute force attack, dictionary File lo o ls Target 1~ I ‫ם‬ x Help |10.0017| Type I HTTP (Basic Auth) attack, password guessing to crack W ebserver passwords Use tools such as Brutus, ▼| Start | Stop | Deaf | Connection Options HTTP (Basic) Options THC-Hydra, etc. Method | HEAD r 10 Timeout 1" j - Connections *‫ ־‬J~ " Use Proxy Define W KeepAlive ]▼J Authentication Options W Use Username User File Sngle User useistxt Pass Mode |Word List Browse | File | words.txt Positive Authentication Results Target 10.0 0 1 7 / 10.0 0 1 7 / _U ype HTTP (Basic Auth) HTTP (Basic Auth) I Username admin backup I Password academic Located and nstaled 1 authentication plugns Imtialisng... Target 10.0 0 1 7 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Mawmum number of authentication attempts vul be 4908 Engagng target 10.0.017 with HTTP (Basic AuthJ T n■ i •irofrt amo irw Timeout Reject AuthSeq Throttle Quick Kill h ttp ://w w w . hoobie. n et Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e rve r A tta c k M e th o d o lo g y : H a c k in g W e b P a ssw o rd s One of the main tasks of any attacker is password hacking. By hacking a password, the attacker gains complete control over the web server. Various methods used by attackers for password hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks, syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, etc. Password cracking can also be performed with the help of tools such as Brutus, THC-Hydra, etc. O :‫כב‬ 1 Brutus Source: http://www.hoobie.net Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web passwords without the knowledge of the victim. The features of the Brutus tool are been explained briefly on the following slide. Module 12 Page 1652 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Brutus - AET2 ‫ ־‬www.hoobie.net/brutus ‫( ־‬January 2000) F i le Jo o ls T a rg e t _ ‫ם‬ H e lp |1 0 .0 .0 .1 7| T y p e | H T T P ( B a s i c A u (h ) ▼~| S ta r( j S to p C le ar C o n n e c tio n O p tio n s P o rt 10 1 80 T im e o u t 10 r T r U s e P ro x y D e fin e H T T P (B a s ic ) O p tio n s M e th o d W [H E A D K e e p A liv e A u th e n tic a tio n O p tio n s— U s e U se rn a m e U s e r F ile I- S in g le U s e r Pass M ode users.txt B ro w s e f B ro w s e P a s s File P o s itiv e A u th e n tic a tio n R e s u lts T ype U sern am e P a ssw o rd 1 .0 .1 / 0 .0 7 T arg e t H T T P (B a s ic A u th ) ad m in a c a d e m ic 1 0 .0 .0 .1 7 / H T T P (B a s ic A u th ) b ackup L o c a t e d a n d installed 1 a u th e n tic a tio n plug-ins a Initialising... T a r g e t 1 0 .0 .0 .1 7 verifie d O p e n e d u se r file c o n ta in in g 6 users. O p e n e d p a s s w o r d file c o n ta in in g 8 1 8 P a s s w o r d s . M ax im um n u m b e r of a u th e n tic a tio n atte m p ts will b e 4 9 0 8 E n g a g in g ta rg e t 1 0 .0 .0 .1 7 w ith H T T P ( B a s i c A u th ) T rm «n 1 - a r Jr r .1► ‫•־‬ T im e o u t R e je c t A u th S e q T h ro ttle Q u ic k Kill FIGURE 1 2 .2 0 : B ru tu s S c re e n s h o t Module 12 Page 1653 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M o d u le F low C EH Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. M o d u le F lo w The tools intended for monitoring and managing the web server can also be used by attackers for malicious purposes. In this day and age, attackers are implementing various methods to hack web servers. Attackers with minimal knowledge about hacking usually use s for hacking web servers. Webserver Concepts Webserver Attacks Webserver Attack Tools Attack Methodology 0 Webserver Pen Testing -y Patch M anagement Webserver Security Tools o m — m — Counter-measures This section lists and describes various web server attack tools. Module 12 Page 1654 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Tools: Metasploit The Metasploit Framework is a penetration testing to o lkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM ® ‫״‬jet (J)metasploit ft V ModutM Tag* Q Atporto ‫־‬ T a li 0 wm Target Syitttn Statu* • MOkom**4 • I S— md • I O ptrabng Sy*t»rm (Top ») • U M olW oM cm M • M m • MKnaPnw LOOM PTOftCt Activity (24 Noun) N ctw oft S n v K t i (Top S) • 2tC DCIW C • III M S K M tt • )7 HETBOSS***(** • n usn«‫׳‬us(B vv^ • M USAOPSffwctt h ttp ://w w w .m eta sp lo it.c o m Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited W e b S e r v e r A t t a c k T o o ls : M e t a s p lo it Source: http://www.metasploit.com The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. It enables users to identify, assess, and exploit vulnerable web applications. Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised web server to discover an exploitable vulnerability in a database that hosts confidential customer data and employee information. Your team members can then leverage the data gained to conduct social engineering in the form of a targeted phishing campaign, opening up new attack vectors on the internal network, which are immediately visible to the entire team. Finally, you generate executive and audit reports based on the corporate template to enable your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or PCI DSS. Metasploit enables teams of penetration testers to coordinate orchestrated attacks against target systems and for team leads to manage project access on a per-user basis. In addition, Metasploit includes customizable reporting. M etasploit enables you to: © Complete penetration test assignments faster by automating repetitive tasks and leveraging multi-level attacks Module 12 Page 1655 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker © Assess the security of web applications, network and endpoint systems, as well as email users © Emulate realistic network attacks based on the leading Metasploit framework with more than one million unique downloads in the past year © Test with the world's largest public database of quality assured exploits © Tunnel any traffic through compromised targets to pivot deeper into the network © Collaborate more effectively with team members in concerted network tests © Customize the content and template of executive, audit, and technical reports (J metasploit l« M lp n O l S*M *o«W 0 Targ et S y s te m S U M S Tag* V Cwnpognt O R rpo rtt ~ TmJ‫ ״‬Q O p eratin g S y s te m s [T o p » ) • M onN nocm H M • M O n to x M • 1■SmM • 2 •Konca P m t r • • 2 •*0‫ וו״0*ף‬ffntwHM 1 •loom) • 1 •HP ***ClOOtO Protect Activity (24 Hours) Ntwr Services (Top ‫)צ‬ e ok • • • • • 270 DCERPC Server* 114 •SMB STOKT* 37-N€TBOSSr<vcr* » ‫־‬MS‫ ׳‬W ‫״‬ T *S(RV S^vcr* 20 USAO? Serve** FIGURE 1 2 .2 1 : M e ta s p lo it S c re e n s h o t Module 12 Page 1656 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M etasploit A rchitecture C EH (•rtifwtf I til1 1 Nm Im (4 Rex Custom plug-ins ^ F ra m e w o rk -B a s e ^ A k" : In te rfa c e s m fs c o n s o le m s fc li m s fw e b P rotocol Tools F ra m e w o rk -C o re K 7 S e c u rity Tools M o d u le s ‫ץ‬ E xp lo its P ayload s W e b S ervices E ncoders In te g ra tio n m s fw x NOPS m s fa p i A u x ilia ry Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it A r c h ite c tu r e The Metasploit framework is an open-source exploitation framework that is designed to provide security researchers and pen testers with a uniform model for rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework provides the ability to reuse large chunks of code that would otherwise have to be copied or reimplemented on a per-exploit basis. The framework was designed to be as modular as possible in order to encourage the reuse of code across various projects. The framework itself is broken down into a few different pieces, the most low-level being the framework core. The framework core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. It supports vulnerability research, exploit development, and the creation of custom security tools. Module 12 Page 1657 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Libraries ‫ץ‬ A Rex Custom plug-ins < ^ :‫<־‬ / Protocol Tools Framework-Core Framework-Base ^ <•: Interfaces mfsconsole msfcli msfweb Modules Security Tools Web Services Integration Exploits Payloads Encoders msfwx NOPS msfapi Auxiliary FIGURE 1 2 .2 2 : M e ta s p lo it A rc h ite c tu re Module 12 Page 1658 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M etasploit Exploit M odule C EH It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit This module comes with simplified meta-information fields Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits S te p s t o e x p lo it a s y s te m f o l l o w t h e M e t a s p lo it F r a m e w o r k C o n fig u r in g A c tiv e E x p lo it _ S e le c tin g a T a rg e t * & Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it E x p lo it M o d u le - 1 1 1 ii The exploit module is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature, users can also modify exploit behavior dynamically, perform brute force attacks, and attempt passive exploits. Following are the steps to exploit a system using the Metasploit framework: © Configuring Active Exploit © Verifying the Exploit Options © Selecting a Target © Selecting the Payload © Launching the Exploit Module 12 Page 1659 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker M etasploit Payload M odule j Payload module establishes a com m unication channel between the M etasploit fram ew ork and the victim host J It combines the arbitrary code tha t is executed as the result o f an exploit succeeding J To generate payloads, first select a payload using the command: 9S C o m m a n d P ro m p t m sf > m sf p a y lo a d (3 h e ll_ r e v e r s e _ tc p ) use U sage: w in d o w s / s h e ll_ r e v e r s e _ t c p g e n e ra te G e n e ra te s a > g e n e ra te -h [o p t io n s ] p a y lo a d . -b < o p t> The l i s t o f c h a ra c te rs to -e < o p t> The nam e o f th e -h H e lp -o < o p t> a v o id : m o d u le , x 0 0 x ff' to u s e . b an n e r. A com m a VAR=VAL s e p a ra te d < o p t> NOP s le d -t < o p t> The o u tp u t p a y lo a d (s h e ll l i s t o f o p t io n s in fo rm a t. -s m sf en cod er le n g t h . ty p e : re v e rs e tc p ) ru b y , p e r i, c , o r ra w . > Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it P a y lo a d M o d u le The Metasploit payload module offers shellcode that can perform a number of interesting tasks for an attacker. A payload is a piece of software that lets you control a computer system after its been exploited. The payload is typically attached to and delivered by the exploit. An exploit carries the payload in its backpack when it break into the system and then leaves the backpack there. With the help of payload, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. To generate payloads, first select a payload using the command: Module 12 Page 1660 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  62. 62. Ethical Hacking and Countermeasures Hacking Webservers ; Exam 312-50 Certified Ethical Hacker C om m and P ro m p t msf > use windows/shell reverse tcp msf payload(shell_reverse_tcp) > generate -h Usage: generate [options] Generates a payload. O P T IO N S : -b <opt> The listof characters to avoid:,x00xff' -e <opt> The nameof the encoder module to use. -h Help banner. -o <opt> A comma separated list of options in VAR=VAL format. -s <opt> NOP sled length. -t <opt> The output type: ruby, peri, c, or raw. msf payload(shell reverse tcp) > FIGURE 1 2 .2 3 : M e ta s p lo it P a ylo a d M o d u le Module 12 Page 1661 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  63. 63. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Metasploit Auxiliary Module J CEH M e ta s p lo it's a u x ilia ry m o d u le s can b e u s e d t o p e r fo r m a r b it r a r y , o n e o f f a c tio n s su ch as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g J To ru n a u x ilia ry m o d u le , e ith e r use th e run c o m m a n d , o r use th e e x p l o i t com m and C o m m a n d P ro m p t m s f > m s f a u x ilia r y (m R H O ST m s f [ * ] u s e => d o s / w in d o w s / s m b / m s 0 6 _ 0 3 5 _ m a ils lo t s 0 6 _ 0 3 5 _ m a ils lo t ) > a ils lo t ) > s e t R H O ST 1 . 2 . 3 . 4 1 . 2 . 3 . 4 a u x ilia r y (m M a n g lin g s 0 6 _ 0 3 5 _ m t h e k e r n e l, tw o b y t e s r u n a t a t i m e . . . Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it A u x ilia r y M o d u le Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run command or use the exploit command. Module 12 Page 1662 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  64. 64. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Metasploit NOPS Module C EH (•rtifwtf I til1(41 Nm Im NOP modules generate a no-operation instructions used fo r blocking o u t buffers Use g e n e r a t e com m and to generate a NOP sled o f an arbitrary size and display it in a given form at OPTIONS: - b < o p t> : The list of characters to avoid: 'x00xff' - h : Help banner. - s < o p t> : The comma separated list of registers to save. - t < o p t> : The output type: ruby, peri, c, or raw m sf n o p (o p ty 2 )> To generate a 50 byte NOP sled that is displayed as a C-style buffer, run the following command: Generates a NOP sled of a given length & □ Comm and P rom pt C om m and P rom pt m sf m s f > u s e x 8 6 / o p ty 2 m s f n o p (o p ty 2 ) > g e n e r a t e n o p (o p ty 2 ) u n s ig n e d char > g e n e ra te b u f [] - t c 50 — " x f 5 x 3 d x 0 5 x l5 x f8 x 6 7 x b a x 7 d x 0 8 x d 6 x 6 - h 6 x 9 f x b 8 x 2 d x b 6 " U s a g e : g e n e r a t e [o p t io n s ] le n g t h M x 2 4 x b e x b l x 3 f x 4 3 x l d x 9 3 x b 2 x 3 7 x 3 5 x 8 4 x d 5 x l4 x 4 0 x b 4 " ‫ ״‬x b 3 x 4 1 x b 9 x 4 8 x 0 4 x 9 9 x 4 6 x a 9 x b 0 x b 7 x 2 f x fd x 9 6 x 4 a x 9 8 " nx 9 2 x b 5 x d 4 x 4 fx 9 1 " ; m sf n o p (o p ty 2 ) > Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M e t a s p lo it N O P S M o d u le Metasploit NOP modules are used to generate no operation instructions that can be used for padding out buffers. The NOP module console interface supports generating a NOP sled of an arbitrary size and displaying it in a given format. options: -b <opt> The list of characters to avoid: ?x00xff? -h Help banner. -s <opt> The comma separated list of registers to save. -t <opt> The output type: ruby, peri, c, or raw. G e n e r a te s a NOP sled of a given length Module 12 Page 1663 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  65. 65. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker To g e n e r a te a 5 0-byte NOP sled t h a t is displayed as a C-style buffer, run t h e following com m and: msf nop(opty2) > generate -t c 50 unsigned char buf[] = "xf5x3dx05xl5xf8x67xbax7dx08xd6x6 6x9fxb8x2dxb6" "x24xbexblx3fx43xldx93xb2x37x35x8 4xd5xl4x40xb4" "xb3x41xb9x48x04x99x46xa9xb0xb7x2 fxfdx96x4ax98" "x92xb5xd4x4fx91"; msf nop(opty2) > F ig u re 1 2 .2 5 : M e ta s p lo it NOPS M o d u le Module 12 Page 1664 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  66. 66. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker Webserver Attack Tools: Wfetch I CEH WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and response data It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or wireless protocols wfeicfi - wtetcni File Edit View Window Help f l Verb: [GET Advanced Request: ‫ ■ י‬host [localHost | f Di«abled Path Y Authentcation Anoryraam UxrtecfcOT Cornsct Qphcr dctajt U«er; Ckertooc.: r w * Pogtwd: r l_ C 0 J NKp Qoirah. fifth. I- from file A -d P«c5y !race J J |60 P Reu« Log Output [Last Status: 500 Internal Server Error; £> started.... O Puny: WWWConnect::Close(” ","8< © closed source port: 7i98rn © MfVWConnectiConriectriocaihost" ~80')n Q IP = "|::l].Q0"n____________________________ h ttp ://w w w .m icro so ft.co m Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited. W e b S e r v e r A t t a c k T o o ls : W f e t c h Source: http://www.microsoft.com Wfetch is a graphical user-interface aimed at helping customers resolve problems related to the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a problem with a lightweight, very HTTP-friendly test environment. It allows for very granular testing down to the authentication, authorization, custom headers, and much more. Module 12 Page 1665 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  67. 67. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker w fetch ‫ ־‬W fe tc h l £1 le £d!t yiew Window Help i) O £ & W fe tc h l y » |GET e t> Host |k> > ca»x * S S ■ j.jEort |drfa‫ »״‬j-JVcr |1 1 Advanced Request Disabled T ] < fromHe ‫־־‬ Palh: |/ .jthertcaboo Aulh l/Vionymoos Connection Connect http d etai Coman | Cipher User -] Ckentcert none | Pajiwd | r Projy Igproxy Go' | ^ J2 I _> J ^80 Tracso--R? Raw rSocket P Reuse Log Output [Last Status: S00 Internal Server Error] ‫►־‬started.... O Proxy; WWWConnect::Close(” ,"80")n £ closed source port 7398rn 4 ) WWWConnect::ConnectClocalhost".8‫<״‬r)n 0 > ‫־08:[1::]־‬n = NUM Ready F ig u re 1 2 .2 6 : W fe tc h S c re e n s h o t Module 12 Page 1666 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  68. 68. Ethical Hacking and Countermeasures Hacking Webservers W e b Exam 312-50 Certified Ethical Hacker P a s s w o r d C r a c k in g T o o l: B r u t u s Source: http://www.hoobie.net Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there is no UNIX version available, although it is a possibility at some point in the future. Brutus was written originally to help check routers for default and common passwords. Features Q HTTP (Basic Authentication) e HTTP (HTML Form/CGI) e POP3 e FTP e SM B Q Telnet Q Multi-stage authentication engine © No user name, single user name, and multiple user name modes 0 Password list, combo (user/password) list and configurable brute force modes Module 12 Page 1667 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  69. 69. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker © Highly customizable authentication sequences © Load and resume position © Import and Export custom authentication types as BAD files seamlessly Q SOCKS proxy support for all authentication types 0 User and password list generation and manipulation functionality © HTML Form interpretation for HTML Form/CGI authentication types 0 Error handling and recovery capability inc. resume after crash/failure B ru tu s - AET2 ‫ ־‬w w w .h o o b ie .n e t/b ru tu s - (Ja nuary 2 0 0 0 ) Eile Iools Target I 1 ‫ם . ־־‬ * Help [10001 ^ Type |HTTP (Basic Auth) j* J Start C le a Connection Options Port [80 * ‫(־‬ Connections 0‫י‬ Tmeout rj‫־‬ 10 ‫ך־ך־‬ r U**Ptoxy Drinc | HTTP (Basic) Options Method |HEAD ]» ] &KeepAJrve Authentication Options W Username Use I- Single Usei Use» Fte ]users txt Pass Mode |W 0»d List Btome | pjg [words bd Browse | Positive Authentication Results Target 100017/ 100017/ HTTP (Basic Auth) HTTP (Basic Auth) Username adrran backup Password academ ic Located and installed 1 authentication ptug-ns Iniiafeng. Target 10.0.0.17 verified Opened user file contamng 6 users Opened password file containing 818 Passwords Maximum number of authentication attempts w J be 4906 Engagng target 10.0.0.17 with HTTP (Basic Auth) T mws<1 »1 w i w » Throttle F ig u re 1 2 .2 7 : B ru tu s S c re e n s h o t Module 12 Page 1668 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×