CEH v5 Module 11 Hacking Webservers.pdf
-
Upload
fouad-boutat -
Category
Documents
-
view
256 -
download
2
Transcript of CEH v5 Module 11 Hacking Webservers.pdf
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
1/63
Module XIHacking Web Servers
Ethical Hacking Version 5
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
2/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Scenario
SpeedCake4u , a cake manufacturing firm wants to
set up a website for showcasing its products. Matt, a
high school graduate was assigned the task of
building the website. Even though Matt was not a
pro in website building, the $2000 pay was the main
motivation for him to take up the task.
He builds a website with all the features that the
company management asked.
The following day the cake manufacturing firms
website was defaced with the Title Your cakestinks!
How was it possible to deface the website?
Is Matt the culprit?
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
3/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Security Newshttp://news.com.com/2102-7349_3-6085589.html?tag=st.util.print
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
4/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
Web ServersPopular Web Servers and Common Vulnerabilities
Apache Web Server Security
IIS Server Security
Attacks against Web Servers
Tools used in Attack
Patch Management
Understanding Vulnerability ScannersCountermeasures
Increasing Web Server Security
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
5/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Web Servers
Increasing Web Server Security
Apache Vulnerability
Web Server Defacement
Hacking Tools toExploit Vulnerabilities
Web Server Vulnerabilities
Countermeasures Attacks against IIS
Vulnerability Scanners
Patch Management
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
6/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How Web Servers Work
The browser connects to the server and requests a page
The server sends back the requested page
Servermachinerunning a webserver
Machine running web browser
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
7/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How Web Servers Work (contd)
1. The browser breaks the URL intothree parts:
1. The protocol ("http")2. The server name
("www.website.com")
3. The filename("webpage.html")
2. The browser communicates with aname server, which translates theserver name, www.website.com ,into an IP address
3. The browser then forms a TCPconnection to the web server atthat IP address on port 80
4. Following the HTTP protocol,
the browser sends a GETrequest to the server, asking for
the file http://webpage.html
5. The server sends the HTMLtext for the web page to the
browser
6. The browser reads the HTML
tags and formats the page onto
the screen
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
8/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How are Web Servers Compromised?
Misconfigurations : In operatingsystems or networks
Bugs: OS bugs may allow commandsto be run on the web
Installing the server with defaults :Service packs may not be applied inthe process, leaving holes behind
Lack of proper security policy,procedures, and maintenance maycreate many loopholes for attackers toexploit
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
9/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Web Server Defacement
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
10/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How are Web Servers Defaced?
Credentials through Man-in-the-middle attack
Password brute force Administrator account
DNS attack through cache
poisoningDNS attack through socialengineering
FTP server intrusionMail server intrusion
Web application bugs
Web shares misconfigurations
Wrongly assigned permissions
Rerouting after firewall attack
Rerouting after router attack
SQL Injection
SSH intrusion
Telnet intrusion
URL poisoning
Web Server extensionintrusion
Remote service intrusion
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
11/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
The Apache Week tracks the vulnerabilities in Apache Server. Even Apache has its share of
bugs and fixesFor instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20
Long URLs passing through themod_negative, mod_dir andmode_autoindex modules could cause Apache to list directory contents
The concept is simple but requires a fewtrial runs
A URL with a large number of trailingslashes:
/cgi-bin /////////////// / // / / / / / // / / /could produce directory listing of the originaldirectory
Apache Vulnerability
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
12/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Attacks Against IIS
IIS is one of the most widely used web serverplatforms on the Internet
Microsoft's web server has been a frequenttarget over the years
Various vulnerabilities have attacked itExamples include: ::$DATA vulnerability
showcode.asp vulnerability
Piggy backing vulnerability
Privilege command execution
Buffer Overflow exploits (IIShack.exe)
WebDav / RPC Exploits
These outdated vulnerability has been presented here as a proof
of concept to demonstrate how a buffer overflow attack works
Warning
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
13/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
IIS Components
IIS relies heavily on a collectionof DLLs that work together withthe main server process,inetinfo.exe, to provide variouscapabilities. Example: server side
scripting, content indexing, web- based printing, and so on
This architecture provides
attackers with differentfunctionality to exploit viamalicious input
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
14/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
IIS Directory Traversal (Unicode) Attack
The vulnerability in unpatched Windows 2000 machineresults because of a canonicalization error affecting CGIscripts and ISAPI extensions (.ASP is probably the bestknown ISAPI-mapped file type)
Canonicalization is the process by which various equivalentforms of a name can be resolved to a single, standard name
For example, "%c0%af" and "%c1%9c" are overlongrepresentations for ?/? and ?\?Thus, by feeding the HTTP request (as shown below) to IIS,arbitrary commands can be executed on the server:
GET/scripts/..%c0%af../winnt/system32/cmd.exe?/ c+dir=c:\ HTTP/1.0
This outdated vulnerability has been presented here as a proof
of concept to demonstrate how a buffer overflow attack works
Warning
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
15/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Unicode
ASCII characters for the dots are replaced withthe Unicode equivalent (%2E)
ASCII characters for the slashes are replaced with Unicode equivalent (%c0%af)
Unicode 2.0 allows multiple encodingpossibilities for each characters
Unicode for "/": 2f, c0af, e080af, f08080af,f8808080af, .....
Overlong Unicode is NOT malformed, but notallowed by a correct Unicode encoder anddecoderMaliciously used to bypass filters that checkonly short Unicode
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
16/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Unicode Directory Traversal
Vulnerability Occurs due to a canonicalization error in Microsoft IIS 4.0 and 5.0
A malformed URL could be used to access files and folders that lieanywhere on the logical drive that contains the web folders
This allows the attacker to escalate his privileges on the machine
This would enable the malicious user to add, change or delete data, run
code already on the server, or upload new code to the server and run itThis vulnerability can be exploited by using the NETCAT as the backdoor (Trojan horse)
This outdated vulnerability has been presented here as a proof ofconcept to demonstrate how privilege escalation attack works.
Warning
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
17/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: IISxploit.exe
This tool automates
the directorytraversal exploit in
IIS
It created the
Unicode string for
exploitation
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
18/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Msw3prt IPP Vulnerability
The ISAPI extension responsible for IPP is msw3prt.dll
An oversized print request containing a valid programcode can be used to perform a new function or load adifferent separate program and cause buffer overflow
This outdated vulnerability has been presented here as a proofof concept to demonstrate how a buffer overflow attack works
Warning
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
19/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
WebDAV / ntdll.dll Vulnerability
WebDAV stands for "Web-basedDistributed Authoring and Versioning"
The IIS WebDAV component utilizesntdll.dll when processing incoming WebDAV requests. By sending a speciallycrafted WebDAV request to an IIS 5.0server, an attacker may be able to executearbitrary code in the Local System
security context, essentially giving theattacker complete control of the system
This vulnerability enables attackers tocause:
Denial-of-service against Win2K
machines Execution of malicious codes
This outdated vulnerability has been presented here as a proof of
concept to demonstrate how a Denial of Service attack works
Warning
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
20/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Real World Instance of WebDAV Exploit
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
21/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
RPC DCOM Vulnerability
It exists in Windows Component Object Model(COM) subsystem, which is a critical service used by many Windows applications
DCOM service allows COM objects tocommunicate with one another across a networkand is activated by default on Windows NT,2000, XP, and 2003
Attackers can reach for the vulnerability in COM via any of the following ports:
TCP and UDP ports 135 (Remote ProcedureCall)
TCP ports 139 and 445 (NetBIOS)
TCP port 593 (RPC-over-HTTP) Any IIS HTTP/HTTPS port if COM Internet
Services are enabled
RPC Exploit-GUI Hacking Tool
This outdated vulnerability has been presented here as a proof ofconcept to demonstrate how a buffer overflow works
Warning
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
22/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ASN Exploits
ASN, or Abstract Syntax Notation, is used for representing differenttypes of binary data such as numbers or strings of text
The ASN.1 exploit targets a Windows authentication protocol knownas NT LAN Manager V2, or NTLMV2
The attacker can run a program that will cause machines using a vulnerable version of the ASN.1 Library to reboot, producing a so-called denial-of-service attack
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
23/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ASP Trojan (cmd.asp)
ASP Trojan is a small script when uploaded to a WebServer allows you completecontrol of the remote PC ASP Trojan can be easilyattached to shrink wrapapplications therebycreating a backdoor
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
24/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
IIS Logs
IIS logs all the visits in log files. The log file is located at:\logfiles
If proxies are not used, then IP can be logged
This command lists the log files:
http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../.
.%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\sys
tem32\Logfiles\W3SVC1
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
25/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Network Tool: Log Analyzer
This tool helps to grab web server logs and build graphically rich self-explanatory
reports on website usage statistics, referring sites, traffic flow, search phrases, etc.
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
26/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: CleanIISLog
This tool clears the log entries in the IIS log files filtered byan IP address
An attacker can easily cover his trace by removing entries based on his IP address in W3SVC Log Files
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
27/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Unspecified Executable Path
Vulnerability When executables and DLL files are not preceded by a path in theregistry (e.g. explorer.exe does not have a fixed path by default)
Windows NT 4.0 / 2000 will search for the file in the followinglocations in this order:
the directory from which the application loaded
the current directory of the parent process ...\system32
...\system
the windows directory
the directories specified in the PATH environment variable
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
28/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Metasploit Framework
Metasploit framework is an advanced open-source platform fordeveloping, testing, and using exploit code
A tool for penetration testing, exploit development, and vulnerabilityresearchThe framework was composed in Perl scripting language and consists ofseveral components written in C, assembler, and Python
Runs on any UNIX-like system under its default configuration A customized Cygwin environment for Windows OS usershttp://www.metasploit.com
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
29/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
30/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Metasploit - Screenshot
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
31/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Immunity CANVAS Professional
Immunity's CANVAS makes available hundreds of exploits, anautomated exploitation system, and a comprehensive, reliableexploit development framework to penetration testers and securityprofessionals worldwide
CANVAS Professional's completely open design allows a team toadapt CANVAS Professional to their environment and needs
CANVAS Professional supports Windows, Linux MacOSX andother Python environments
One license costs $ 1244. One license allows up to 10users/installations
Source courtsey: http://www.immunitysec.com/products-canvas.shtml
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
32/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshot 1
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
33/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshot 2
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
34/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Core Impact
CORE IMPACT is the first
automated, comprehensive
penetration testing product forassessing specific information
security threats to an
organization
By safely exploiting
vulnerabilities in your network
infrastructure, the product
identifies real, tangible risks to
information assets while testing
the effectiveness of your
existing security investments
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
35/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
36/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
37/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
38/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
39/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hotfixes and Patches
A hotfix is code that fixes a bug in a product. The
users may be notified through emails or through
the vendors website
Hotfixes are sometimes packaged as a set of fixes
called a combined hotfix or service pack
A patch can be considered as a repair job in a piece
of programming problem. A patch is the
immediate solution that is provided to users
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
40/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Patch Management?
Patch management is a process used to ensurethat the appropriate patches are installed on a
systemIt involves the following:
Choosing, verifying, testing, and applyingpatches
Updating previously applied patches withcurrent patches
Listing patches applied previously to thecurrent software
Recording repositories, or depots, of patchesfor easy selection
Assigning and deploying applied patches
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
41/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Solution: UpdateExpert
UpdateExpert is a Windows administration program that helps yousecure your systems by remotely managing service packs andhotfixes
Microsoft constantly releases updates for the OS and missioncritical applications, which fix security vulnerabilities and system
stability problemsUpdateExpert enhances security, keeps systems up-to-date,eliminates sneaker-net, improves system reliability and QoS
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
42/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshot
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
43/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Patch Management Tool: qfecheck
Qfecheck allows customers to
diagnose and eliminate the effects
of anomalies in the packaging of
hotfixes for Microsoft Windows
2000
Qfecheck.exe determines which
hotfixes are installed by reading the
information stored in the following
registry key:
HKEY_LOCAL_MACHINE\SO
FTWARE\Microsoft\Updates
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
44/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Patch Management Tool: HFNetChk
A command-line tool that enables the administrator to check the patchstatus of all the machines in a network remotely
It does this function by referring to an XML database that Microsoftconstantly updates
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
45/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
cacls.exe Utility
Built-in Windows 2000 utility (cacls.exe) can set accesscontrol list (ACLs) permissions globally
To change permissions on all executable files to System:Full, Administrators:Full,
C: \ >cacl s. exe c: \ myf ol der \ *. exe / T / G Syst em: F
Admi ni st r at or s: F
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
46/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Vulnerability Scanners
The different types of vulnerability scanners according to
their availability are: Online Scanners : e.g. www.securityseers.com
Open Source scanners : e.g. Snort, Nessus SecurityScanner, and Nmap
Linux Proprietary Scanners : The resource for scanners on Linuxis SANE (Scanner Access Now Easy). Besides SANE there isXVScan, Parallel Port Scanners under Linux, and USB Scanners
on Linux Commercial Scanners : You can purchase these from the vendors
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
47/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Online Vulnerability Search Engine
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
48/63
Network Tool: N-Stealth HTTP
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
49/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Network Tool: N-Stealth HTTP
Vulnerability Scanner
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
50/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: WebInspect
WebInspect is an impressive webserver and application-level
vulnerability scanner that scans over1,500 known attacks
It checks site contents and analyzes forrudimentary application-issues like
smart guesswork checks, passwordguessing, parameter passing, andhidden parameter checks
It can analyze a basic web server in 4
minutes, cataloging over 1,500 HTMLpages
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
51/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Network Tool: Shadow Security Scanner
Security scanner is designed to identify known andunknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes within a network's Internet, intranet, and extranet
environments
Shadow Security Scanner includes vulnerabilityauditing modules for many systems and services
These include NetBIOS, HTTP, CGI and WinCGI,FTP, DNS, DoS vulnerabilities, POP3,SMTP,LDAP,TCP/IP, UDP, Registry, Services,
users and accounts, password vulnerabilities,publishing extensions, MSSQL,IBMDB2,Oracle,MySQL, PostgressSQL, Interbase,MiniSQL, and more
h
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
52/63
EC-CouncilCopyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Screenshots
S IIS
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
53/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
SecureIIS
Developed by eEye Digital Security specifically for Windows-based web servers, SecureIIS operates within Microsoft's IIS to protect
your servers against known and unknown attacks
C
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
54/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
Countermeasures
IISLockdown: IISLockdown restricts anonymous access to system utilities as well as the ability to write to web
content directories
It disables Web Distributed Authoring and Versioning (WebDAV)
It installs the URLScan ISAPI filter
URLScan:
UrlScan is a security tool that screens all incoming requests to the server byfiltering the requests based on rules that are set by the administrator
MBSA Utility:
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool thatdetermines the security state in accordance with Microsoft securityrecommendations and offers specific remediation guidance
Fil S t T l C t
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
55/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
File System Traversal Countermeasures
Microsoft recommends setting the NTFS ACLSon cmd.exe and several other powerfulexecutables to Administration and SYSTEM:Full Control only
Sample files must be removed
Monitor the audit logs
Apply Microsoft patches and hotfixes regularly
I i W b S S it
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
56/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
Increasing Web Server Security
Use of Firewalls
Administrator Account Renaming
Disabling the Default Websites
Removal of Unused Application Mappings
Disabling Directory Browsing
Legal NoticesService Packs, Hotfixes, and Templates
Checking for Malicious Input in Forms and
Query StringsDisable Remote Administration
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
57/63
Web Server Protection Checklist
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
58/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
(contd)8. Accounts
Remove unused accounts
Disable guest
Rename administrator account
Disable null user connections Enable administrator to log on locally
9. IIS Metabase
Access to the metabase is restricted by using NTFS permissions
10. Files and Directories
Files and directories are contained on NTFS volumes
Web site content is located on a non-system NTFS volume
Web site root directory has deny write for IUSR COMPUTERNAME11. Server Certificates
The certificate's public key is valid, all the way to a trusted root authority
12. Shares
Administrative shares (C$ and Admin$) are removed
13. Machine.config
1. Unused HttpModules are removed
2. Tracing is disabled
14. Ports
Restrict Web applications to use only port 80 and 443
15. Code Access Security
Code access security is enabled on the server
What happened next?
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
59/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
What happened next?
Jason Springfield, an Ethical Hacker was called in to investigate the matter. During
his tests, Jason found that the website had all default configurations, and no
precautionary steps were taken while building the website.
The test exposed lot of security loopholes in the website.
The defacement was possible as the website was built with all default configuration.
The web server was not updated and hot fixes were not installed.There was a flaw in the Index.htm file of the website.
The attacker exploited this flaw, and defacing was a piece of cake for him!!
Jason fixed the holes and changed the default configurations. This incident made the
management of SpeedCake4u realize the need for a professional web designer.
Summary
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
60/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
Summary
Web servers assume critical importance in the realm of Internet security
Vulnerabilities exist in different releases of popular web servers and respective
vendors patch these oftenThe inherent security risks owing to compromised web servers have impact on thelocal area networks that host these websites, even on the normal users of web browsers
Looking through the long list of vulnerabilities that had been discovered and patchedover the past few years provides an attacker ample scope to plan attacks to unpatchedservers
Different tools/exploit codes aid an attacker in perpetrating web server hacking
Countermeasures include scanning for existing vulnerabilities and patching themimmediately, anonymous access restriction, incoming traffic request screening, andfiltering
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
61/63
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
62/63
-
8/9/2019 CEH v5 Module 11 Hacking Webservers.pdf
63/63
EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited