CEH v5 Module 11 Hacking Webservers.pdf

8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf

1/63

Module XIHacking Web Servers

Ethical Hacking Version 5


2/63

EC-CouncilCopyright by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Scenario

SpeedCake4u , a cake manufacturing firm wants to

set up a website for showcasing its products. Matt, a

high school graduate was assigned the task of

building the website. Even though Matt was not a

pro in website building, the $2000 pay was the main

motivation for him to take up the task.

He builds a website with all the features that the

company management asked.

The following day the cake manufacturing firms

website was defaced with the Title Your cakestinks!

How was it possible to deface the website?

Is Matt the culprit?


3/63



Security Newshttp://news.com.com/2102-7349_3-6085589.html?tag=st.util.print


4/63



Module Objective

This module will familiarize you with the following:

Web ServersPopular Web Servers and Common Vulnerabilities

Apache Web Server Security

IIS Server Security

Attacks against Web Servers

Tools used in Attack

Patch Management

Understanding Vulnerability ScannersCountermeasures

Increasing Web Server Security


5/63



Module Flow

Web Servers


Apache Vulnerability

Web Server Defacement

Hacking Tools toExploit Vulnerabilities

Web Server Vulnerabilities

Countermeasures Attacks against IIS

Vulnerability Scanners

Patch Management


6/63



How Web Servers Work

The browser connects to the server and requests a page

The server sends back the requested page

Servermachinerunning a webserver

Machine running web browser


7/63



How Web Servers Work (contd)

1. The browser breaks the URL intothree parts:

1. The protocol ("http")2. The server name

("www.website.com")

3. The filename("webpage.html")

2. The browser communicates with aname server, which translates theserver name, www.website.com ,into an IP address

3. The browser then forms a TCPconnection to the web server atthat IP address on port 80

4. Following the HTTP protocol,

the browser sends a GETrequest to the server, asking for

the file http://webpage.html

5. The server sends the HTMLtext for the web page to the

browser

6. The browser reads the HTML

tags and formats the page onto

the screen


8/63



How are Web Servers Compromised?

Misconfigurations : In operatingsystems or networks

Bugs: OS bugs may allow commandsto be run on the web

Installing the server with defaults :Service packs may not be applied inthe process, leaving holes behind

Lack of proper security policy,procedures, and maintenance maycreate many loopholes for attackers toexploit


9/63



Web Server Defacement


10/63



How are Web Servers Defaced?

Credentials through Man-in-the-middle attack

Password brute force Administrator account

DNS attack through cache

poisoningDNS attack through socialengineering

FTP server intrusionMail server intrusion

Web application bugs

Web shares misconfigurations

Wrongly assigned permissions

Rerouting after firewall attack

Rerouting after router attack

SQL Injection

SSH intrusion

Telnet intrusion

URL poisoning

Web Server extensionintrusion

Remote service intrusion


11/63



The Apache Week tracks the vulnerabilities in Apache Server. Even Apache has its share of

bugs and fixesFor instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20

Long URLs passing through themod_negative, mod_dir andmode_autoindex modules could cause Apache to list directory contents

The concept is simple but requires a fewtrial runs

A URL with a large number of trailingslashes:

/cgi-bin /////////////// / // / / / / / // / / /could produce directory listing of the originaldirectory

Apache Vulnerability


12/63



Attacks Against IIS

IIS is one of the most widely used web serverplatforms on the Internet

Microsoft's web server has been a frequenttarget over the years

Various vulnerabilities have attacked itExamples include: ::$DATA vulnerability

showcode.asp vulnerability

Piggy backing vulnerability

Privilege command execution

Buffer Overflow exploits (IIShack.exe)

WebDav / RPC Exploits

These outdated vulnerability has been presented here as a proof

of concept to demonstrate how a buffer overflow attack works

Warning


13/63



IIS Components

IIS relies heavily on a collectionof DLLs that work together withthe main server process,inetinfo.exe, to provide variouscapabilities. Example: server side

scripting, content indexing, web- based printing, and so on

This architecture provides

attackers with differentfunctionality to exploit viamalicious input


14/63



IIS Directory Traversal (Unicode) Attack

The vulnerability in unpatched Windows 2000 machineresults because of a canonicalization error affecting CGIscripts and ISAPI extensions (.ASP is probably the bestknown ISAPI-mapped file type)

Canonicalization is the process by which various equivalentforms of a name can be resolved to a single, standard name

For example, "%c0%af" and "%c1%9c" are overlongrepresentations for ?/? and ?\?Thus, by feeding the HTTP request (as shown below) to IIS,arbitrary commands can be executed on the server:

GET/scripts/..%c0%af../winnt/system32/cmd.exe?/ c+dir=c:\ HTTP/1.0

This outdated vulnerability has been presented here as a proof

of concept to demonstrate how a buffer overflow attack works

Warning


15/63



Unicode

ASCII characters for the dots are replaced withthe Unicode equivalent (%2E)

ASCII characters for the slashes are replaced with Unicode equivalent (%c0%af)

Unicode 2.0 allows multiple encodingpossibilities for each characters

Unicode for "/": 2f, c0af, e080af, f08080af,f8808080af, .....

Overlong Unicode is NOT malformed, but notallowed by a correct Unicode encoder anddecoderMaliciously used to bypass filters that checkonly short Unicode


16/63



Unicode Directory Traversal

Vulnerability Occurs due to a canonicalization error in Microsoft IIS 4.0 and 5.0

A malformed URL could be used to access files and folders that lieanywhere on the logical drive that contains the web folders

This allows the attacker to escalate his privileges on the machine

This would enable the malicious user to add, change or delete data, run

code already on the server, or upload new code to the server and run itThis vulnerability can be exploited by using the NETCAT as the backdoor (Trojan horse)

This outdated vulnerability has been presented here as a proof ofconcept to demonstrate how privilege escalation attack works.

Warning


17/63



Hacking Tool: IISxploit.exe

This tool automates

the directorytraversal exploit in

IIS

It created the

Unicode string for

exploitation


18/63



Msw3prt IPP Vulnerability

The ISAPI extension responsible for IPP is msw3prt.dll

An oversized print request containing a valid programcode can be used to perform a new function or load adifferent separate program and cause buffer overflow

This outdated vulnerability has been presented here as a proofof concept to demonstrate how a buffer overflow attack works

Warning


19/63



WebDAV / ntdll.dll Vulnerability

WebDAV stands for "Web-basedDistributed Authoring and Versioning"

The IIS WebDAV component utilizesntdll.dll when processing incoming WebDAV requests. By sending a speciallycrafted WebDAV request to an IIS 5.0server, an attacker may be able to executearbitrary code in the Local System

security context, essentially giving theattacker complete control of the system

This vulnerability enables attackers tocause:

Denial-of-service against Win2K

machines Execution of malicious codes

This outdated vulnerability has been presented here as a proof of

concept to demonstrate how a Denial of Service attack works

Warning


20/63



Real World Instance of WebDAV Exploit


21/63



RPC DCOM Vulnerability

It exists in Windows Component Object Model(COM) subsystem, which is a critical service used by many Windows applications

DCOM service allows COM objects tocommunicate with one another across a networkand is activated by default on Windows NT,2000, XP, and 2003

Attackers can reach for the vulnerability in COM via any of the following ports:

TCP and UDP ports 135 (Remote ProcedureCall)

TCP ports 139 and 445 (NetBIOS)

TCP port 593 (RPC-over-HTTP) Any IIS HTTP/HTTPS port if COM Internet

Services are enabled

RPC Exploit-GUI Hacking Tool

This outdated vulnerability has been presented here as a proof ofconcept to demonstrate how a buffer overflow works

Warning


22/63



ASN Exploits

ASN, or Abstract Syntax Notation, is used for representing differenttypes of binary data such as numbers or strings of text

The ASN.1 exploit targets a Windows authentication protocol knownas NT LAN Manager V2, or NTLMV2

The attacker can run a program that will cause machines using a vulnerable version of the ASN.1 Library to reboot, producing a so-called denial-of-service attack


23/63



ASP Trojan (cmd.asp)

ASP Trojan is a small script when uploaded to a WebServer allows you completecontrol of the remote PC ASP Trojan can be easilyattached to shrink wrapapplications therebycreating a backdoor


24/63



IIS Logs

IIS logs all the visits in log files. The log file is located at:\logfiles

If proxies are not used, then IP can be logged

This command lists the log files:

http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../.

.%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\sys

tem32\Logfiles\W3SVC1


25/63



Network Tool: Log Analyzer

This tool helps to grab web server logs and build graphically rich self-explanatory

reports on website usage statistics, referring sites, traffic flow, search phrases, etc.


26/63



Hacking Tool: CleanIISLog

This tool clears the log entries in the IIS log files filtered byan IP address

An attacker can easily cover his trace by removing entries based on his IP address in W3SVC Log Files


27/63



Unspecified Executable Path

Vulnerability When executables and DLL files are not preceded by a path in theregistry (e.g. explorer.exe does not have a fixed path by default)

Windows NT 4.0 / 2000 will search for the file in the followinglocations in this order:

the directory from which the application loaded

the current directory of the parent process ...\system32

...\system

the windows directory

the directories specified in the PATH environment variable


28/63



Metasploit Framework

Metasploit framework is an advanced open-source platform fordeveloping, testing, and using exploit code

A tool for penetration testing, exploit development, and vulnerabilityresearchThe framework was composed in Perl scripting language and consists ofseveral components written in C, assembler, and Python

Runs on any UNIX-like system under its default configuration A customized Cygwin environment for Windows OS usershttp://www.metasploit.com


29/63




30/63



Metasploit - Screenshot


31/63



Immunity CANVAS Professional

Immunity's CANVAS makes available hundreds of exploits, anautomated exploitation system, and a comprehensive, reliableexploit development framework to penetration testers and securityprofessionals worldwide

CANVAS Professional's completely open design allows a team toadapt CANVAS Professional to their environment and needs

CANVAS Professional supports Windows, Linux MacOSX andother Python environments

One license costs $ 1244. One license allows up to 10users/installations

Source courtsey: http://www.immunitysec.com/products-canvas.shtml


32/63



Screenshot 1


33/63



Screenshot 2


34/63



Core Impact

CORE IMPACT is the first

automated, comprehensive

penetration testing product forassessing specific information

security threats to an

organization

By safely exploiting

vulnerabilities in your network

infrastructure, the product

identifies real, tangible risks to

information assets while testing

the effectiveness of your

existing security investments


35/63



Screenshots


36/63



Screenshots


37/63



Screenshots


38/63




39/63



Hotfixes and Patches

A hotfix is code that fixes a bug in a product. The

users may be notified through emails or through

the vendors website

Hotfixes are sometimes packaged as a set of fixes

called a combined hotfix or service pack

A patch can be considered as a repair job in a piece

of programming problem. A patch is the

immediate solution that is provided to users


40/63



What is Patch Management?

Patch management is a process used to ensurethat the appropriate patches are installed on a

systemIt involves the following:

Choosing, verifying, testing, and applyingpatches

Updating previously applied patches withcurrent patches

Listing patches applied previously to thecurrent software

Recording repositories, or depots, of patchesfor easy selection

Assigning and deploying applied patches


41/63



Solution: UpdateExpert

UpdateExpert is a Windows administration program that helps yousecure your systems by remotely managing service packs andhotfixes

Microsoft constantly releases updates for the OS and missioncritical applications, which fix security vulnerabilities and system

stability problemsUpdateExpert enhances security, keeps systems up-to-date,eliminates sneaker-net, improves system reliability and QoS


42/63



Screenshot


43/63



Patch Management Tool: qfecheck

Qfecheck allows customers to

diagnose and eliminate the effects

of anomalies in the packaging of

hotfixes for Microsoft Windows

2000

Qfecheck.exe determines which

hotfixes are installed by reading the

information stored in the following

registry key:

HKEY_LOCAL_MACHINE\SO

FTWARE\Microsoft\Updates


44/63



Patch Management Tool: HFNetChk

A command-line tool that enables the administrator to check the patchstatus of all the machines in a network remotely

It does this function by referring to an XML database that Microsoftconstantly updates


45/63



cacls.exe Utility

Built-in Windows 2000 utility (cacls.exe) can set accesscontrol list (ACLs) permissions globally

To change permissions on all executable files to System:Full, Administrators:Full,

C: \ >cacl s. exe c: \ myf ol der \ *. exe / T / G Syst em: F

Admi ni st r at or s: F


46/63



Vulnerability Scanners

The different types of vulnerability scanners according to

their availability are: Online Scanners : e.g. www.securityseers.com

Open Source scanners : e.g. Snort, Nessus SecurityScanner, and Nmap

Linux Proprietary Scanners : The resource for scanners on Linuxis SANE (Scanner Access Now Easy). Besides SANE there isXVScan, Parallel Port Scanners under Linux, and USB Scanners

on Linux Commercial Scanners : You can purchase these from the vendors


47/63



Online Vulnerability Search Engine


48/63

Network Tool: N-Stealth HTTP


49/63



Network Tool: N-Stealth HTTP

Vulnerability Scanner


50/63



Hacking Tool: WebInspect

WebInspect is an impressive webserver and application-level

vulnerability scanner that scans over1,500 known attacks

It checks site contents and analyzes forrudimentary application-issues like

smart guesswork checks, passwordguessing, parameter passing, andhidden parameter checks

It can analyze a basic web server in 4

minutes, cataloging over 1,500 HTMLpages


51/63



Network Tool: Shadow Security Scanner

Security scanner is designed to identify known andunknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes within a network's Internet, intranet, and extranet

environments

Shadow Security Scanner includes vulnerabilityauditing modules for many systems and services

These include NetBIOS, HTTP, CGI and WinCGI,FTP, DNS, DoS vulnerabilities, POP3,SMTP,LDAP,TCP/IP, UDP, Registry, Services,

users and accounts, password vulnerabilities,publishing extensions, MSSQL,IBMDB2,Oracle,MySQL, PostgressSQL, Interbase,MiniSQL, and more

h


52/63



Screenshots

S IIS


53/63

EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

SecureIIS

Developed by eEye Digital Security specifically for Windows-based web servers, SecureIIS operates within Microsoft's IIS to protect

your servers against known and unknown attacks

C


54/63


Countermeasures

IISLockdown: IISLockdown restricts anonymous access to system utilities as well as the ability to write to web

content directories

It disables Web Distributed Authoring and Versioning (WebDAV)

It installs the URLScan ISAPI filter

URLScan:

UrlScan is a security tool that screens all incoming requests to the server byfiltering the requests based on rules that are set by the administrator

MBSA Utility:

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool thatdetermines the security state in accordance with Microsoft securityrecommendations and offers specific remediation guidance

Fil S t T l C t


55/63


File System Traversal Countermeasures

Microsoft recommends setting the NTFS ACLSon cmd.exe and several other powerfulexecutables to Administration and SYSTEM:Full Control only

Sample files must be removed

Monitor the audit logs

Apply Microsoft patches and hotfixes regularly

I i W b S S it


56/63



Use of Firewalls

Administrator Account Renaming

Disabling the Default Websites

Removal of Unused Application Mappings

Disabling Directory Browsing

Legal NoticesService Packs, Hotfixes, and Templates

Checking for Malicious Input in Forms and

Query StringsDisable Remote Administration


57/63

Web Server Protection Checklist


58/63


(contd)8. Accounts

Remove unused accounts

Disable guest

Rename administrator account

Disable null user connections Enable administrator to log on locally

9. IIS Metabase

Access to the metabase is restricted by using NTFS permissions

10. Files and Directories

Files and directories are contained on NTFS volumes

Web site content is located on a non-system NTFS volume

Web site root directory has deny write for IUSR COMPUTERNAME11. Server Certificates

The certificate's public key is valid, all the way to a trusted root authority

12. Shares

Administrative shares (C$ and Admin$) are removed

13. Machine.config

1. Unused HttpModules are removed

2. Tracing is disabled

14. Ports

Restrict Web applications to use only port 80 and 443

15. Code Access Security

Code access security is enabled on the server

What happened next?


59/63


What happened next?

Jason Springfield, an Ethical Hacker was called in to investigate the matter. During

his tests, Jason found that the website had all default configurations, and no

precautionary steps were taken while building the website.

The test exposed lot of security loopholes in the website.

The defacement was possible as the website was built with all default configuration.

The web server was not updated and hot fixes were not installed.There was a flaw in the Index.htm file of the website.

The attacker exploited this flaw, and defacing was a piece of cake for him!!

Jason fixed the holes and changed the default configurations. This incident made the

management of SpeedCake4u realize the need for a professional web designer.

Summary


60/63


Summary

Web servers assume critical importance in the realm of Internet security

Vulnerabilities exist in different releases of popular web servers and respective

vendors patch these oftenThe inherent security risks owing to compromised web servers have impact on thelocal area networks that host these websites, even on the normal users of web browsers

Looking through the long list of vulnerabilities that had been discovered and patchedover the past few years provides an attacker ample scope to plan attacks to unpatchedservers

Different tools/exploit codes aid an attacker in perpetrating web server hacking

Countermeasures include scanning for existing vulnerabilities and patching themimmediately, anonymous access restriction, incoming traffic request screening, andfiltering


61/63


62/63


63/63


CEH v5 Module 11 Hacking Webservers.pdf

Documents

Transcript of CEH v5 Module 11 Hacking Webservers.pdf