Professional Documents
Culture Documents
M o d u le 12
H a c k in g W ebservers
M o d u le 12
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 1 2 : H a c k in g W e b s e r v e r s E xam 3 1 2 -5 0
M o d u le 12 P ag e 1601
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Final update: GoDaddy is up, and claim s that the outage w as due to internal errors and not a D D oS attack. According to m any custom ers, sites hosted by m ajor w eb host and dom ain registrar GoDaddy are dow n. According to the official GoDaddy Tw itter account the com pany is aw are of the issue and is w orking to resolve it. Update: custom ers are com plaining that GoDaddy hosted e-m ail accounts are dow na s w ell, along w ith GoDaddy phone service and all sites using GoDaddy's D N S service. Update 2 :Am em ber of Anonym ous know n as Anonym ousOw n3r is claim ing responsibility, and m akes it clear this is not an Anonym ous collective action. A tipster tells us that the technical reason for the failure is being caused bythe inaccessibility of GoDaddy's D N S servers specifically CN S1.SECU R ESER VER .N ET, C N S2.SECU R ESER VER .N ET, and C N S3.SECU R ESER VER .N ET are failing to resolve.
h t tp : //te c h c r u n c h .c o m
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
S e c u r ity Nnus
N e w s o f S ite s ,
G o D a d d y O u ta g e T a k e s D o w n M illio n s
A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility S o u rc e : h t t p : / / t e c h c r u n c h . c o m F ina l u p d a t e : G o D a d d y is u p, a nd c la im s t h a t t h e o u t a g e w a s d u e t o i n t e r n a l e r r o r s a n d n o t a DDoS a tta c k . A c c o r d i n g t o m a n y c u s t o m e r s , sites h o s te d by m a j o r w e b h o s t a n d d o m a i n r e g is t r a r G o D a d d y a re d o w n . A c c o r d i n g t o t h e o f f i c i a l G o D a d d y T w i t t e r a c c o u n t , t h e c o m p a n y is a w a r e o f t h e iss u e a n d is w o r k i n g t o r e s o lv e it. U p d a t e : C u s t o m e r s are c o m p la i n i n g t h a t G o D a d d y h o s te d e - m a il a c c o u n ts a re d o w n as w e ll, a lo n g w i t h G o D a d d y p h o n e s e rv ic e a n d all sites u s in g G o D a d d y 's DNS se rvice. U p d a t e 2: A m e m b e r o f A n o n y m o u s k n o w n as A n o n y m o u s O w n 3 r is c l a i m in g r e s p o n s ib ilit y , a nd m a k e s it c le a r th is is n o t an A n o n y m o u s c o lle c tiv e a c tio n . A t i p s t e r te lls us t h a t t h e t e c h n ic a l r e a s o n f o r t h e fa i lu r e is b e in g c a u s e d by t h e in a c c e s s ib ility o f G o D a d d y 's DNS s e rv e rs s p e c ific a lly CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
a n d CNS3.SECURESERVER.NET a re fa i li n g t o re s o lv e .
M o d u le 12 P ag e 1602
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A n o n y m o u s O w n 3 r s b io re a d s " S e c u r i t y l e a d e r o f # A n o n y m o u s ( O f f ic i a l m e m b e r " ) . " T h e i n d i v id u a l c la im s t o be fr o m Brazil, a n d h a s n 't issued a s t a t e m e n t as t o w h y G o D a d d y w a s ta rg e te d . Last y e a r GoDaddy was pressured into opposing SOPA as c u s t o m e r s t r a n s f e r r e d d o m a i n s o f f t h e se rv ic e , and th e com pany has been th e ce nte r of a fe w o th e r controversies. H ow ever,
M o d u le 12 P ag e 1603
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le O b jec tiv es
J IIS Webserver Architecture J Countermeasures J
Urt1fW4
C EH
tt*H4i Nath*
How to Defend Against Web Server Attacks Patch Management Patch Management Tools
J Webserver Attacks J Webserver Attack Methodology J Webserver Attack Tools J Metasploit Architecture
J L / ^ J
J Webserver Security Tools J Webserver Pen Testing Tools J Webserver Pen Testing
^ *>
M o d u le
O b je c tiv e s
O ft e n , a b re a c h in s e c u r it y causes m o r e d a m a g e in t e r m s o f g o o d w i l l t h a n in a c tu a l
t h e m s e l v e s . This m o d u l e a t t e m p t s t o h ig h l i g h t t h e v a r io u s s e c u r it y c o n c e r n s in t h e c o n t e x t o f w e b s e r v e r s . A f t e r f i n is h i n g t h is m o d u l e , y o u w i ll a b le t o u n d e r s t a n d a w e b s e r v e r a n d its a r c h it e c t u r e , h o w t h e a t t a c k e r hacks it, w h a t t h e d i f f e r e n t ty p e s a tta c k s t h a t a t t a c k e r can c a rr y o u t o n t h e w e b s e rv e rs a re , t o o l s u sed in w e b s e rv e r h a c k in g , e tc . E x p lo r in g w e b s e r v e r s e c u r it y is a v a s t d o m a i n a n d t o d e lv e i n t o t h e f i n e r d e ta ils o f t h e d is c u s s io n is b e y o n d t h e s c o p e o f th is m o d u l e . T his m o d u l e m a k e s y o u f a m i l i a r i z e w i t h : e e e e e Q e e IIS W e b Server A r c h ite c tu re W h y W e b Servers A re C o m p r o m is e d ? Im p a c t o f W e b s e r v e r A tta cks W e b s e r v e r A ttacks W e b s e r v e r A tta c k M e t h o d o lo g y W e b s e r v e r A tta c k Tools M e ta s p lo it A r c h ite c tu re W e b Passw ord Cracking Tools e 0 e e e e e C o u n te rm e a su re s H o w t o D e fe n d A g a in s t W e b S e r v e r A t ta c k s Patch M a n a g e m e n t Patch M a n a g e m e n t T o o ls W e b s e r v e r S e c u r ity T o o ls W e b s e r v e r Pen T e s tin g T o o ls W e b s e r v e r Pen T e s tin g
M o d u le 12 P ag e 1604
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le Flow
CEH
M o d u le
F lo w
W e b s e rv e r Concepts
-------------------
W e b s e rv e r Attacks
A tta c k M e th o d o lo g y
W e b s e rv e r A tta c k Tools
W e b s e rv e r Pen Testing
W e b s e rv e r Security Tools
Patch M a n a g e m e n t
C ou nter-m easures
This s e c tio n g ive s y o u b r i e f o v e r v i e w o f t h e w e b s e r v e r a n d its a r c h it e c t u r e . It w i ll also e x p la in c o m m o n re a s o n s o r m is t a k e s m a d e t h a t e n c o u r a g e a t ta c k e r s t o h a c k a w e b s e r v e r a n d b e c o m e su cc e ssfu l in t h a t . T his s e c tio n also d e s c r ib e s t h e i m p a c t o f a tta c k s o n t h e w e b s e rv e r.
M o d u le 12 P ag e 1605
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Apache Microsoft - I I S
64.6%
1.7% 1.2%
W e b
S e rv e r M a r k e t S h a re s
M o d u le 12 P ag e 1606
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Apache t
6 4 .6 %
Microsoft IIS
17.4%
Nginx
13 %
LiteSpeed
Google Server
Tomcat
10
20
30
40
50
60
70
M o d u le 12 P ag e 1607
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
r
:1 1 a
........
* Apache
Applications
C o m p ile d E x te n s io n
MySQL i f
O p e n
S o u rc e
W e b
S e rv e r A r c h ite c tu r e
T h e d ia g r a m
b e l l o w i llu s tr a te s t h e basic c o m p o n e n t s o f o p e n s o u r c e w e b s e rv e r
a r c h it e c t u r e .
M o d u le 12 P ag e 1608
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Site Users
Site A d m in
A ttacks
&
* A
1
Internet
Linux
File System
J F M
" A p p lic a tio n s
A p ach e
W h e re , L in u x - t h e s e rv e r's o p e r a t i n g s y s te m A p a c h e - t h e w e b s e rv e r c o m p o n e n t M y S Q L - a r e l a t io n a l d a ta b a s e PHP - t h e a p p li c a t i o n la y e r
M o d u le 12 P ag e 1609
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
In te rn e t In fo rm a tio n Services (IIS) fo r W indow s Server is a flexible , secure, and easy-to-m anage w eb server fo r hosting anything on th e w eb
i *
f t p
Svchost.exe
Application Pool
W in d o w s A c tiv a tio n Service __________ (W AS)___________ W W W S e r v ic e B egin re q u e s t proce ssin g , a u th e n tic a tio n , a u th o riz a tio n , cache re s o lu tio n , h a n d le r m a p p in g , h a n d le r p re e x e c u tio n , rele a se sta te , a p p l ic a t io n H o s t . c o n f ig u p d a te cache, u p d a te lo g , a n d e n d re q u e s t p ro ce ssin g A nonym ous a u th e n tic a tio n , m a n a g e d e n g in e , IIS c e r tific a te m a p p in g , s ta tic file , d e fa u lt d o c u m e n t, HTTP c a ch e , HTTP e r r o r s , a n d HTTP lo g g in g F o rm s A u th e n tic a tio n M anaged M o d u le s
W eb Server Core
N ative M odules
AppDomain
External Apps
c 3 by
A pache HTTP server. IT o ccupies a ro u n d 17.4% o f th e to ta l m a rk e t share. It s u p p o rts HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The dia g ra m th a t fo llo w s illu s tra te s th e basic c o m p o n e n ts o f IIS w e b se rve r a rc h ite c tu re :
M o d u le 12 P ag e 1610
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Internet
Kernel M ode
User Mode
Svchost.exe
W in d o w s A c tiv a tio n S e rv ic e (W A S )
Native M odules
Anonym ous a u t h e n t ic a t io n , M a n a g e d e n g in e , IIS c e r t if ic a t e m a p p in g , s ta t ic file , d e f a u lt d o c u m e n t , H TTP c a c h e , H T T P e r r o r s , a n d H TTP lo g g in g
AppD om ain
Managed Modules
WWW Service
application Host.config
u p d a te c a c h e , u p d a te lo g , a n d e n d re q u e s t p r o c e s s in g
Forms Authentication
M o d u le 12 P ag e 1611
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved, R ep ro d u ctio n is Strictly P ro h ib ite d .
Website Defacement
J W eb defacem ent occurs when an intruder m aliciously alters visual appearance o f a w eb page by inserting or sub stituting provocative and fre que ntly offending data J Defaced pages exposes visitors to som e propaganda or misleading info rm atio n until the unauthorized change is discovered and corrected
Fie Ml few Hep
CEH
h t t p : / / ju g g y b o y . c o m / in d e x . a s p x
j_>
f f
Y o u
a re O W
N E D !!!!!!!
HACKED!
Hi Master, Your website owned by US, Hacker! Next target - microsoft.com
Website Defacement
W e b s ite d e fa c e m e n t is a process o f changin g th e c o n te n t o f a w e b s ite o r w e b page by hacke rs. H ackers b rea k in to th e w e b servers and w ill a lte r th e hosted w e b s ite by cre a tin g s o m e th in g new . W e b d e fa c e m e n t occurs w h e n an in tru d e r m a lic io u s ly a lte rs th e visual appe a ra n ce o f a w e b page by in s e rtin g o r s u b s titu tin g p ro v o c a tiv e and fre q u e n tly o ffe n s iv e data. Defaced pages expose v is ito rs to p ro p a g a n d a o r m isle a d in g in fo rm a tio n u n til th e u n a u th o riz e d change is d isco ve re d and c o rre c te d .
M o d u le 12 P ag e 1612
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B O
M o d u le 12 P ag e 1613
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
U n n e c e s s a ry d e fa u lt, b a c k u p , o r s a m p le f il e s
I n s t a ll in g t h e s e r v e r w i t h d e f a u l t s e t t in g s
S e c u r it y c o n f li c t s w i t h b u s in e s s e a s e - o f use case
Im p r o p e r f ile a n d d i r e c t o r y p e r m is s io n s
M i s c o n f ig u r a t io n s in w e b s e r v e r , o p e r a t i n g s y s te m s , a n d n e tw o rk s
D e f a u lt a c c o u n t s w i t h t h e i r d e f a u l t o r n o p a s s w o rd s
L a c k o f p r o p e r s e c u r it y p o lic y , p r o c e d u r e s , a n d m a in t e n a n c e
S e c u r it y f la w s in t h e s e r v e r s o f t w a r e , O S a n d a p p li c a t io n s
B u g s in s e r v e r s o f t w a r e , O S , a n d w e b a p p l ic a t io n s
M i s c o n f ig u r e d SSL c e r t if ic a t e s a n d e n c r y p t io n s e t t in g s
Im p r o p e r a u t h e n tic a tio n w it h e x te r n a l s y s te m s
U s e o f s e lf - s ig n e d c e r t if ic a t e s a n d d e f a u l t c e r t if i c a t e s
A d m i n i s t r a t i v e o r d e b u g g in g f u n c t i o n s t h a t a r e e n a b le d o r a c c e s s ib le
U n n e c e s s a r y s e r v ic e s e n a b le d , in c lu d in g c o n t e n t m a n a g e m e n t a n d r e m o te a d m in is tr a tio n
p o o rly c o n fig u re d w e b se rve r poses a n o th e r p o te n tia l hole in th e local n e tw o rk 's s e c u rity . W h ile th e o b je c tiv e o f a w e b is to p ro v id e c o n tro lle d access to th e n e tw o rk , to o m uch o f c o n tro l can m ake a w e b a lm o s t im p o ssib le to use. In an in tra n e t e n v iro n m e n t, th e n e tw o rk a d m in is tra to r has to be ca re fu l a b o u t c o n fig u rin g th e w e b server, so th a t th e le g itim a te users are recognized and a u th e n tic a te d , and va rio u s g ro u p s o f users assigned d is tin c t access privile g e s.
M o d u le 12 P ag e 1614
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
End U ser's C o n ce rn : U sually, th e end user does n o t pe rce ive any im m e d ia te th re a t, as s u rfin g th e w e b appe a rs b o th safe and a n o n ym o u s. H o w e ve r, a ctive c o n te n t, such as A ctiveX c o n tro ls and Java a p p le ts, m ake it possible fo r h a rm fu l a p p lic a tio n s , such as viruses, to in vad e th e user's system . Besides, a ctive c o n te n t fro m a w e b s ite b ro w s e r can be a c o n d u it fo r m a licio u s s o ftw a re to bypass th e fire w a ll system and p e rm e a te th e local area n e tw o rk .
D e fa u lt a c c o u n ts w it h th e ir d e fa u lt p a ssw o rd s U n p a t c h e d s e c u r it y f l a w s in t h e s e r v e r s o ftw a re , OS, a n d a p p lic a tio n s M i s c o n f i g u r e d SSL c e r t i f i c a t e s a n d e n c r y p tio n s e ttin g s U se o f s e lf-s ig n e d c e rtific a te s a n d d e fa u lt c e rtific a te s U n n e c e s s a ry s e rv ic e s e n a b le d , in c lu d in g c o n te n t m a n a g e m e n t and re m o te a d m in is tra tio n
M is c o n fig u ra tio n s in w e b server, o p e ra tin g system s and n e tw o rk s Lack o f p ro p e r s e c u rity policy, p ro ce d u re s, and m a in te n a n c e Bugs in se rve r s o ftw a re , OS, and w e b a p p lic a tio n s Im p ro p e r a u th e n tic a tio n w ith e x te rn a l system s A d m in is tra tiv e o r de b u g g in g fu n c tio n s th a t are ena b le d o r accessible
M o d u le 12 P ag e 1615
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Crt1fW 4 Itil 1 (4 1 Nm Im
re p la c in g th e o rig in a l da ta . T hey change th e w e b s ite lo o k by changing th e visuals and d isp la y in g d iffe r e n t pages w ith th e messages o f th e ir o w n . S e co n d a ry a tta c k s fr o m th e w e b s ite : Once th e a tta c k e r co m p ro m is e s a w e b server, he o r she can use th e se rve r to launch fu r th e r attacks on va rio u s w e b s ite s o r c lie n t system s. 0 D ata th e ft : Data is one o f th e m ain assets o f th e c o m p a n y. A tta c k e rs can g e t access to s e n sitive da ta o f th e co m p a n y like source code o f a p a rtic u la r p ro g ra m .
M o d u le 12 Page 1616
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
R o o t access to o th e r a p p lic a tio n s o r s e rv e r: R oot access is th e h ig h e st p riv ile g e one gets to log in to a n e tw o rk , be it a d e d ic a te d server, s e m i-d e d ic a te d , o r v irtu a l p riv a te server. A tta c k e rs can p e rfo rm any a c tio n once th e y g e t ro o t access to th e source.
M o d u le 12 P ag e 1617
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le Flow
CEH
Module Flow
C o n sid erin g th a t yo u becam e fa m ilia r w ith th e w e b se rve r concepts, w e m ove fo rw a rd to th e possible a tta cks on w e b se rve r. Each and e ve ry a ctio n on o n lin e is p e rfo rm e d w ith th e he lp o f w e b server. Hence, it is c o n s id e re d as th e critic a l source o f an o rg a n iz a tio n . This is th e sam e reason fo r w h ic h a tta c k e rs are ta rg e tin g w e b server. T here are m a n y a tta c k te c h n iq u e used by th e a tta c k e r to c o m p ro m is e w e b server. N o w w e w ill discuss a b o u t th o s e a tta c k te c h n iq u e s . a tta c k , HTTP response s p littin g a tta ck, w e b cache p o iso n in g a tta ck, h ttp response hijacking, w e b a p p lic a tio n a tta cks, etc.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y
W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g
W e b s e r v e r S e c u rity T o o ls
- y
P a tch M a n a g e m e n t
C o u n te r-m e a s u re s
M o d u le 12 P ag e 1 6 1 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
H a c k in g W e b s e r v e r s
CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft
Verbose debug/error
lo o p h o le s
a u th e n tic a tio n .
m is c o n fig u ra tio n
re fe rs
c o n fig u ra tio n
weaknesses
M o d u le 1 2
P ag e 1619
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
Ethical Hacking a n d C o u n te rm e a s u re s
H a c k in g W e b s e r v e r s
CEH
This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed
f
ran
I
n
L 1
:J
< L o c a tio n
/s e rv e r-s ta tu s >
in fo rm a tio n
a b o u t th e c u r r e n t use o f th e w e b s e rv e r, in c lu d in g in f o r m a t io n a b o u t t h e c u r r e n t
h o s ts a n d r e q u e s ts b e in g p ro c e s s e d . C o n s id e r a n o t h e r e x a m p le , t h e p h p .in i file .
= On On
= s y s lo g e rro rs = O ff
re p e a te d
M o d u le 1 2
P ag e 1620
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
3 / I
! H t J Inetpub
m a n ip u la tin g
a URL. A tta c k e r s c a n
m e th o d
n a v ig a te
o u ts id e
o f th e
r o o t d i r e c t o r y a n d a c c e s s s e n s it iv e i n f o r m a t i o n in t h e s y s t e m .
V o lu m e in drive C has no label. V o lu m e Serial N u m b e r is D45E-9FEE D ire cto ry o f C :\ 0 6 /0 2 /2 0 1 0 1 1 :3 1 A M 1,024 .rnd 0 123. te x t 0 AUTOEXEC.BAT <DIR> CATALINA_HOME 0 CONFIG.SYS <DIR> D ocum ents a n d Settings D ow nloads Intel Program Files S n o rt W INDOWS
0 9 /2 8 /2 0 1 0 06:43 PM 0 5 /2 1 /2 0 1 0 03:10 PM 0 9 /2 7 /2 0 1 0 08:54 PM 0 5 /2 1 /2 0 1 0 03:10 PM 0 8 /1 1 /2 0 1 0 09:16 A M 0 9 /2 5 /2 0 1 0 05:25 PM 0 8 /0 7 /2 0 1 0 03:38 PM 0 9 /2 7 /2 0 1 0 09:36 PM 0 5 /2 6 /2 0 1 0 02:36 A M 0 9 /2 8 /2 0 1 0 09:50 A M
Q j
!v!v!Tffxl
company
1 downloads
E O im a g e s O n e w s
scripts
CJ su p p o rt
0 9 /2 5 /2 0 1 0 02:03 PM 569,344 W lnD um p.exe 7 File(s) 570, 368 bytes 13 Dir(s) 13,432 ,115,200 byte s free
M o d u le 12 P ag e 1621
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
(rt1fw< itkNjI NmIm
y
S tr in g a u th o r = r e q u e s t . getParam eter(A U TH O R _PA RAM) ; C o o k ie c o o k ie = new C o o k ie ( " a u t h o r , a u t h o r ) ; c o o k i e . s e tM a x A g e ( c o o k ie E x p ir a t io n ) ; r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
Second R esponse
HTTP/1.1 200 OK
M o d u le 12 P ag e 1622
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Input = Jason
HTTP/1.1 200 OK Set-Cookie: author=Jason
S i
05 C O
S e c o n d R e sp o n se
HTTP/1.1200 OK
M o d u le 12 P ag e 1623
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Original Juggyboy page GET h ttp ://ju g g yb o y .co m /in d ex .h tm l H T T P/1.1 Pragma: no-cache Host: juggyboy.com A tta ck er sends request to re m o ve page fro m cache
com e.p h p ? la n g = < ?php h e a d e r (" L o c a tio n :" . $_G E T ['page ']); ?>
redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2 02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200 9%2014:50:18%20GMT*0d%0aConte ntLength :%2020%0d%0aContcnt Typc:%20text/htmf%0d%0a%0d%0a<html >Attack Pagc</html> HTTP/1.1
Host: Juggyboy.com GET h ttp ://ju g g yb o y .co m /in d ex .h tm l H T T P /1 .1 Host: testsite.com U ser-Agent: M o z illa /4 .7 [en] (W inN T; I) A ccept-Charset: i s o -8 8 5 9 - l,* ,u tf 8
An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache
P o is o n e d S e rv e r C ache
c o n te n t in s te a d w e b cache.
s e c u re d
c o n te n t w h e n
d e m a n d in g th e
URL th ro u g h
p o i s o n i n g is e x p l a i n e d i n d e t a i l w i t h a s t e p - b y - s t e p p r o c e d u r e .
M o d u le 12 P ag e 1624
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A ddm \ wAvvw.Ju!^Ylov.1utn GET h ttp ://ju g g y b o y .c o m /in d e M .h tm l H TTP/1.1 P ragm a: no-cache H o s t: ju g g yb o y.co m A cc e p t-C h a rse t: iso-8859 l , T,u tf-8
GET h ttp ://ju g g y b o y .c o m / rdir.php?site=%Od%OaContentL*ngth:%200% Od%Oa%Od%OaHTTP/l.l% 2 0 2 00 9(2 OOKHOdKOa LastM o difie d :% 20M on,% 202 7% 200ct% 20200 9 *20 14 :5 0:18 K 20 G M T % 0 d % 0a C o n te n tLengt h : 2 0 2 0%0d%0a Conte ntT yp :% 2 0tex t/htm l% 0d %0a%0d%08<htm! >Attack P age</htm l> H T T P /1 .1
Server Cache
A tta c k e r sends re q u e s t t o re m o v e page fr o m cache h t t p : / / w w w . ju g g y b o y . c o m / w e l N o rm a l response a fte r cle a rin g th e cache fo rju g g y b o y .c o m c o m e .p h p ? la n g = < ? p h p h e a d e r ( " L o c a t io n : " . $ _ G E T ['p a g e ']) ; ?> A tta c k e r sends m a lic io u s re q u e s t th a t g e n e ra te s tw o re sponses (4 and 6)
A tta c k e r g e ts f ir s t se rv e r response
Host: juggyboy.com GET h ttp ://ju g g y b o y .c o m /in d e x .h tm l H TTP /1.1 H ost: te s ts ite .c o m U s e r-A g e n t: M o z illa /4 .7 [e n ] (W ln N T ; I) A c c e p t-C h a rs e t iso -8 8 5 9 l , ,utf-8
......... ..........>
The ind res! .ponse o f requ
that p o in t! t o
:k e f's page
Address 1 igr
A tU ckvr'kp^w
P o is o n e d S e r v e r C a c h e
M o d u le 12 P ag e 1625
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 12 P ag e 1626
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 12 P ag e 1627
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Crt1fW 4 itfciul IUcIm(
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tun nel
SSH tunnels can be used to tra n s m it m alw ares and o th e r exploits to victim s w ith o u t being detected
I
M a il S e r v e r
User
Inte rn e t
SSH S e r v e r
W e b S e rv e r
A p p lic a tio n S e rv e r
F ile S e r v e r
A ttacker
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
I
Mail Server
Attacker
FIGURE 1 2 .1 1 : SSH B r u te F o r c e A tta c k
M o d u le 12 P ag e 1628
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
H acking W e b s e rv e rs
CEH
M an-in-the-M iddle (M ITM ) attacks allow an attacker to access sensitive info rm atio n by inte rceptin g and a lte ring com m unications betw een an end-user and webservers A ttacker acts as a proxy such th a t all the com m unication betw een the user and Webserver passes through him
N o rm a l T ra ffic
\p
oO*
tj
Webserver
Q "
A tta c k e r
ManintheMiddle Attack
A m a n - i n - t h e - m i d d l e a t t a c k is a m e t h o d w h e r e a n i n t r u d e r i n t e r c e p t s o r m o d i f i e s t h e m essage in tru d in g b e in g in to exchanged b e tw e e n th e an user and web s e rv e r th ro u g h e a v e s d ro p p in g or a c o n n e c tio n . T h is a llo w s a tta c k e r to s te a l s e n s itiv e in fo rm a tio n o f a user
s u c h as o n lin e b a n k in g d e ta ils , u s e r n a m e s , p a s s w o r d s , e tc . t r a n s f e r r e d o v e r t h e I n t e r n e t t o t h e w e b s e rv e r. T h e a tta c k e r lu re s t h e v ic tim to be a p ro xy. If th e v ic tim th e b e lie v e s to c o n n e c t to th e w e b s e rv e r th ro u g h and a g re e s to th e a tta c k e r 's re q u e s t, th e b y p re te n d in g th e n a ll th e
c o m m u n ic a tio n
b e tw e e n
user and th e
web
s e rv e r passes th ro u g h
a tta c k e r. T hu s, th e
M o d u le 12
Page 1629
Ethical H acking a n d C o u n te rm e a s u re s
C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
U s e r v is it s a w e b s it e
N o r m a l T r a ffic
&
>
*
A t t a c k e r s n iffs t h e c o m m u n iic c a t io n t o ; s te a lI s e s s io n ID s
User
.
* * * ..
''' ^ 9 0
( f t v
es ..* .
< e ^
.*
, . , w
, 5 ''.
M o d u le 12 P ag e 1630
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C EH
* * * *
The m ost com m on passwords found are password, root, adm inistrator, admin, demo, test, guest, qwerty, pet names, etc.
and th a t
p ro v e s
to th e they
W e b s e rv e r a re
a valid user
Attackers use diffe re n t m ethods such as social engineering, spoofing, phishing, using a Trojan Horse o r virus, w iretapping, keystroke logging, etc.
W e b f o r m a u t h e n t ic a t i o n c r a c k in g SSH T u n n e ls FTP s e r v e r s S M T P s e rv e rs W e b s h a re s
fo u n d are p a s s w o rd , r o o t, a d m in is tr a to r , a d m in , d e m o , te s t, g u e st,
p e t na m e s, e tc.
A tta c k e rs use d iffe r e n t m e th o d s such as social e n g in e e rin g , sp o o fin g , p h ishing , using a T rojan horse o r viru s, w ire ta p p in g , k e y s tro k e logging, a b ru te fo rc e a tta c k , a d ic tio n a ry a tta ck, etc. to crack passw ords.
A tta c k e rs m a in ly ta rg e t:
M o d u le 12 P ag e 1631
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
EH
Passw ords may be cracked m anually o r w ith a u to m a te d to o ls such as Cain and Abel, Brutus, THC Hydra, etc.
Hybrid Attack
A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt
gd
) 77( _
e a s ily . T h e s a m e t h i n g a llo w s t h e a t t a c k e r t o c r a c k p a s s w o r d s b y g u e s s in g .
D i c t i o n a r y A t t a c k : A d i c t i o n a r y a t t a c k is a m e t h o d t h a t h a s p r e d e f i n e d w o r d s o f v a r i o u s c o m b in a t io n s , b u t t h is m i g h t a ls o n o t b e p o s s ib le t o b e e f f e c t i v e i f t h e p a s s w o rd c o n s is ts
o f s p e c i a l c h a r a c t e r s a n d s y m b o l s , b u t c o m p a r e d t o a b r u t e f o r c e a t t a c k t h i s is l e s s t i m e c o n s u m in g . B ru te F orce A tta c k : In t h e b ru te fo rc e m e th o d , a ll p o s s ib le c h a ra c te rs a re te s te d , fo r
e x a m p le , u p p e rc a s e fr o m
s p e c ia l c h a r a c te r s , it m ig h t
t a k e m o n t h s o r y e a r s t o c r a c k t h e p a s s w o r d , w h i c h is p r a c t i c a l l y i m p o s s i b l e .
M o d u le 12 P ag e 1632
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H y b rid A tta c k : A h y b rid a tta c k is m o re p o w e rfu l as it uses b o th a d ic tio n a ry a tta c k and b ru te fo rc e a tta c k . It also consists o f sym bols and n u m b e rs. Password cracking becom es easier w ith th is m e th o d .
M o d u le 12 P ag e 1633
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Crt1fW 4 itfciul Nm Im
rOss .
T **0rv
C kie
sPe, 'ring
rg e ,
Site
At,
'n
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
C o p y rig h t b y E G -G tlin c il. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
D ire c to ry tra v e rs a l is e x p lo ita tio n o f HTTP th ro u g h w h ic h a tta cke rs are able to access re s tric te d d ire c to rie s and e x e cu te co m m a n d s o u ts id e o f th e w e b se rve r ro o t d ire c to ry by m a n ip u la tin g a URL.
P a r a m e te r /F o rm T a m p e rin g
This ty p e o f ta m p e rin g a tta c k is in te n d e d to m a n ip u la te th e p a ra m e te rs exchanged b e tw e e n c lie n t and se rve r in o rd e r to m o d ify a p p lic a tio n data, such as user c re d e n tia ls and p erm ission s, price and q u a n tity o f p ro d u cts, etc.
C o o k ie T a m p e r in g
C ookie ta m p e rin g is th e m e th o d o f p o is o n in g o r ta m p e rin g w ith th e c o o k ie o f th e c lie n t. The phases w h e re m o st o f th e atta cks are d o n e are w h e n sending a co o kie fro m th e c lie n t side to th e se rve r. P e rsiste n t and n o n -p e rs is te n t cookies can be m o d ifie d by using d iffe r e n t to o ls .
M o d u le 12 P ag e 1634
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
C o m m a n d In je c tio n A tta c k s
C om m an d in je c tio n is an a tta c k in g m e th o d in w h ic h a h a cke r a lte rs th e c o n te n t o f th e w e b page by using h tm l code and by id e n tify in g th e fo rm fie ld s th a t lack valid
c o n s tra in ts .
M o s t w e b a p p lic a tio n s are designed to sustain som e a m o u n t o f d a ta . If th a t a m o u n t is exceede d, th e a p p lic a tio n m ay crash o r m ay e x h ib it som e o th e r v u ln e ra b le b e h a v io r. The a tta c k e r uses th is a d va n ta g e and flo o d s th e a p p lic a tio n s w ith to o m uch data, w h ic h in tu rn causes a b u ffe r o v e rflo w a tta ck.
C r o s s - S it e S c r i p t i n g (X S S ) A t t a c k s
jr
M
users.
A d e n ia l-o f-s e rv ic e a tta c k is a fo rm o f a tta c k m e th o d in te n d e d to te r m in a te th e o p e ra tio n s o f a w e b s ite o r a se rve r and m ake it u n a va ila b le to access fo r in te n d e d
U n v a l i d a t e d I n p u t a n d F ile i n j e c t i o n A t t a c k s
U n v a lid a te d in p u t and file in je c tio n atta cks re fe r to th e atta cks ca rrie d by s u p p ly in g an u n v a lid a te d in p u t o r by in je c tin g file s in to a w e b a p p lic a tio n .
C r o s s - S it e R e q u e s t F o r g e r y (C S R F ) A t t a c k
The u ser's w e b b ro w s e r is re q u e ste d by a m a licio u s w e b page to send re q u e sts to a m a lic io u s w e b s ite w h e re v a rio u s v u ln e ra b le a ctio n s are p e rfo rm e d , w h ic h are n o t in te n d e d by th e user. This kind o f a tta c k is d a n g e ro u s in th e case o f fin a n c ia l w e b s ite s .
SQL In je c tio n A tta c k s
SQL in je c tio n is a code in je c tio n te c h n iq u e th a t uses th e s e c u rity v u ln e ra b ility o f a datab a se fo r attacks. The a tta c k e r in je cts m a licio u s code in to th e strings th a t are la te r on passed on to SQL S erver fo r e x e c u tio n .
S e s s io n H ija c k in g
1131Session
n e g o tia te s th e real va lid w e b session c o n tro l m e ch a n ism to access th e a u th e n tic a te d p a rts o f a w e b a p p lic a tio n .
M o d u le 12 P ag e 1635
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M o d u le Flow
CEH
Module Flow
_ So fa r w e have d is c u s s e d web s e rv e r c o n c e p ts u s u a lly hack and v a rio u s te c h n iq u e s s e rv e r by fo llo w in g used by th e a tta c k e r to m e th o d . s e rve rs. hack w e b we se rv e r. A tta c k e rs a tta c k a web used a p ro ce d u ra l web Now w ill d is c u s s t h e m e th o d o lo g y by a tta c k e rs to c o m p ro m is e
We b s e r v e r C o n c e p t s
W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y
W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g
W e b s e r v e r S e c u rity T o o ls
P a tc h M a n a g e m e n t
C o u n te r-m e a s u re s
T h is s e c tio n p r o v id e s in s ig h t in to t h e a t t a c k m e t h o d o lo g y a n d t o o ls t h a t h e lp a t v a r io u s s ta g e s o f h a c k in g .
M o d u le 1 2 P a g e 1 6 3 6
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
CEH
In fo rm a tio n G a th e rin g
W e b s e rv e r F o o tp rin tin g
V u ln e ra b ility S c a n n in g
I n f o r m a t io n G a th e r in g
E v e ry a t t a c k e r t r ie s t o c o lle c t as m u c h in fo rm a tio n
in fo rm a tio n
as p o s s ib le a b o u t t h e t a r g e t w e b in fo rm a tio n in
se rve r. O n ce th e
is g a t h e r e d , h e o r s h e t h e n a n a l y z e s t h e g a t h e r e d
o r d e r t o f i n d t h e s e c u r i t y la p s e s in t h e c u r r e n t m e c h a n i s m o f t h e w e b s e r v e r .
W e b S e rv e r F o o tp r in tin g
T h e p u r p o s e o f f o o t p r i n t i n g is t o g a t h e r m o r e i n f o r m a t i o n a b o u t s e c u r i t y a s p e c t s o f a w e b s e r v e r w i t h t h e h e l p o f t o o l s o r f o o t p r i n t i n g t e c h n i q u e s . T h e m a i n p u r p o s e is t o k n o w
M i r r o r i n g W e b s ite
W
4 J ) W e b s ite m irro rin g is a m e t h o d o f c o p y in g a w e b s ite and its c o n te n t o n to a n o th e r s e rv e r fo r o fflin e b ro w s in g .
V u ln e r a b ilit y S c a n n in g
M o d u le 1 2 P a g e 1 6 3 7
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
V u ln e ra b ility scanning is a m e th o d o f fin d in g va rio u s v u ln e ra b ilitie s an d m is c o n fig u ra tio n s o f a w e b s e rv e r. V u ln e ra b ility scanning is d o n e w ith th e he lp o f va rio u s a u to m a te d to o ls kn o w n as v u ln e ra b le scanners. S e s s io n H i j a c k i n g Session h ija c k in g is possible once th e c u rre n t session o f th e c lie n t is id e n tifie d . C o m p le te c o n tro l o f th e user session is ta k e n o v e r by th e a tta c k e r by m eans o f session hijacking. H a c k in g W e b S e rv e r P a s s w o rd s A tta c k e rs use v a rio u s passw ord cracking m e th o d s like b ru te fo rc e attacks, h yb rid a tta cks, d ic tio n a ry attacks, etc. and crack w e b se rve r passw ords.
M o d u le 12 P ag e 1638
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
i s . n e t
UZ3
query the W hois databases to get the details such as a domain name, an IP address, o r an autonom ous system num ber
[Querying who1s.vens1gn-grs.com] [whols.verislgn-grs.com] Who<5 Server Vereon 2.0 Domain names in the .com and .net domains can now be reoistered with rrorv diftoront competing raaistrars. Go to http;//w w w .intom < x t for detailed information. Domain Name: EBAY.COM Registrar: MARKM0N1T0R INC. Whois Server: w hois.m aricw iitor.com Reterral URL: http://www.marXmonicor.com Name Server: yC-ONSl.CDAYDNS.COM Sorvof: SJC DNS2.bBAYDNS.COM Namo sorvor: SMF DNS1.EBAYDNS.C0N Name sarver: SMF-DNSi.fcBAYDNS.COM Status: cllr)tO(HtcProhIhltd Status: clieritTrm sfPral 1ibit*d Status: dienWpdnteProhibited Status: serverDeieteProhibited Status: server TransferProh 1 b itod Status: sorvorUDdateProhibital updated Date: I 5 sep-2010 Creation Date: 04-aug-l995 Expiration Date: 03-aug-2018
N 3 m 0
Note: For com plete coverage o f in fo rm a tio n gathering techniques refer to M o d u le 02: F o otprinting and Reconnaissance
http://www. whois.net
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Attack
Methodology:
Information
Every a tta c k e r b e fo re hacking fir s t c o lle cts all th e re q u ire d in fo rm a tio n such as ve rsio n s and te c h n o lo g ie s being used by th e w e b server, etc. A tta c k e rs search th e In te rn e t, n e w sgroup s, b u lle tin boards, etc. fo r in fo rm a tio n a b o u t th e c o m p a n y. M o s t o f th e a tta c k e rs ' tim e is sp e n t in th e phase o f in fo r m a tio n g a th e rin g o n ly. T h a t's w h y in fo rm a tio n g a th e rin g is b o th an a rt as w e ll as a science. T he re are m a ny to o ls th a t can be used fo r in fo rm a tio n g a th e rin g o r to g et d e ta ils such as a d o m a in nam e, an IP address, o r an a u to n o m o u s system n u m b e r. The to o ls in clu d e : e e e e 0 e W h o is T ra c e ro u te A c tiv e W h o is N m ap A n g ry IP Scanner N e tc a t W h o is
M o d u le 12 P ag e 1639
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Source: h ttp ://w w w .w h o is .n e t W h o is a llo w s you to p e rfo rm a d o m a in w h o is search and a w h o is IP lo o k u p and search th e w h o is datab a se fo r re le v a n t in fo rm a tio n on d o m a in re g is tra tio n and a v a ila b ility . This can help p ro v id e in s ig h t in to a d o m a in 's h is to ry an d a d d itio n a l in fo rm a tio n . It can be used fo r p e rfo rm in g a search to see w h o o w n s a d o m a in nam e, h o w m any pages fro m a site are listed w ith G oogle, o r even search th e W h o is address listings fo r a w e b s ite 's o w n e r.
W H O is .n e t
Your Domain Starting Place...
M o d u le 12 P ag e 1640
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
H acking W e b s e rv e rs
CEH
Urt1fw4 ilhiul lUthM
gather information such as server nam e, server type, operating systems, applications running, etc.
J Use too l such as ID Serve, httprecon, and Netcraft to perform footprinting
M o d u le 12
Page 1641
Ethical H acking a n d C o u n te rm e a s u re s
C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
r iE T C K A F T
e a r c h
e b
b y
o m
a in
E x p lo re 1 ,0 4 5 .7 4 5 w e b s it e s v is ite d by u s e r s o f th e N e tc ra ft T o o lb a r S e a rc h : s e a r c h t ip s
3 rd A u g u s t 2 0 1 2
j site contains
j ^microsoft
e x a m p l e : s it e c o n ta in s . n e tc r a ft.c o m
lookup!
e s u lt s
f o r
ic r o s o f t
m m
0
a
S e p te m b e r 1 9 9 8 m ic r o s o f t c o rp n o ve m b e r 1998 august 2008 august 2009 m ay 2007 august 2008 novem ber 2001 fe b u a ry 1 9 9 9 fe b u a ry 2 0 0 5 novem ber 2008 ja n u a r y 1 9 9 7 novem ber 2008 decem ber 2010 o c to b e r 2 0 0 5 m ic r o s o f t c o rp m ic r o s o f t c o rp m ic r o s o f t lim it e d m ic r o s o f t c o rp m ic r o s o f t c o rp m s h o t m a il m ic r o s o f t c o rp m ic r o s o f t c o rp a k a m a i t e c h n o lo g ie s a k a m a i i n t e r n a t io n a l b .v d ig it a l r iv e r ir e la n d ltd . m ic r o s o f t c o rp m ic r o s o f t c o rp
1
a
1
a
1 0 . s o c ia l. m s d n . m ic r o s o f t . c o m 1 1 . g o .m ic r o s o f t . c o m 1 2 . w in d o w s u p d a te .m ic r o s o f t . c o m 1 3 . u p d a t e . m ic r o s o f t . c o m 1 4 . w w w .m ic r o s o fttr a n s la to r .c o m 1 5 . s e a r c h . m ic r o s o f t . c o m 1 6 . w w w .m ic r o s o f t s t o r e . c o m 1 7 . lo g in . m ic r o s o f t o n lin e . c o m 1 8 . w e r .m ic r o s o f t . c o m
0
a
a a a
m
a
1
IB
M o d u le 12 P ag e 1642
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
CEH
0
GET existing j GET Io n g e q u e s tj GET non-ex sting] GET wrong p rotocol)
ID S e rve
HTTP/1.1 200 OK Dace: Thu, 11 Oct 2012 09:34:37 GMT expires: Thu, 01 Dec 1994 16:00:00 GMT carhe-control: no-cache pragma: no-cache Sec-Cookie: ALT_ID=007f010021bb479dd5aa00SS; Expires 09:34:37 GMT; Path=/; Domain .nytimes.com; Sec-cookie: adxcs=-; path=/; do!rain=.nytimes.cam
ID Serve
Background
'
Internet Server Identifica.ion U tility, vl .0 2 Personal Security Freew are by Stev Steve G ibson Copyright (c) 2003 by Gibson Research Corp. 1 1 1 1 |
S S m
Enter 0* copy I paste an Internet server UR_ or IP address here (example: www.microsdt.com):
|www.google.coml
C 2
(3
Q u e ryT h eS ever
Server query process ng
w ^
W hen an Internet URL IP has been provided above, piess this button to initiate a query of the specified server.
a
S
Oracle Application Server 10g 10.1.2.2.0 Sun Java System W eb Server 7.0 Abyss 2.5.0.0 X1 Apache 2.0.52 Apache 2.2.6 r u 1 n c n_________________________
V V
V Ready
Server gws Content-Length: 221 XXSSProtectior: 1; mode-block XFromeOptions: SAMEORIGIN Connection: close
The seivef identified Ise* a s :
h ttp : //w w w .c o m p u te c .c h
(4
Goto ID Serve web page
h ttp : //w w w .g r c .c o m
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
H ttp re c o n
( ^ ' S o u rce : h ttp ://w w w .c o m p u te c .c h
t h e e a s e a n d e ffic ie n c y o f th is k in d o f e n u m e r a t i o n .
M o d u le 1 2 P a g e 1 6 4 3
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
H T T P/1.1 200 OK D a te : T hu, 11 O ct 2012 0 9 :3 4 :3 7 GM T S e r v e r : A pache e x p i r e s : T hu, 01 Dec 1994 1 6 :0 0 :0 0 GM T c a c h e - c o n t r o l : n o -c a c h e p ra g m a: n o -c a c h e S e t- C o o k ie : A LT _ID =007f010021bb479ddSaa005S; E x p ir e s = F r i , 11 O ct 2013 0 9 :3 4 :3 7 GMT; P a th = /; D o m a in = .n y tim e s. com; S e t - c o o k i e : a d x c a = - ; p a t h = / ; d o m a in = .n y tim e s . com V a ry : H o st Matchlist (352 Implementations) | Fingerprint Details | Report Preview Name M Oracle Application Server 10g 10.1.2.2.0 H22 Sun Java System Web Server 7.0 # Abyss 2.5.0.0X1 Apache 2.0.52 Apache 2.2.6 V ncn Ready. I Hits 58 57 56 56 56 EC Match % 81.6301408450704 80.2816301408451 78.8732334366137 78.8732334366137 78.8732334366137 070000,1 70O CC1 7 /\
ID
S e rv e
Source: h ttp ://w w w .g r c .c o m ID Serve is a s im p le In te rn e t se rve r id e n tific a tio n u tility . ID Serve can a lm o s t alw ays id e n tify th e m ake, m o d e l, and v e rs io n o f any w e b s ite 's s e rv e r s o ftw a re . This in fo rm a tio n is usually se n t in th e p re a m b le o f re plie s to w e b q u e rie s, b u t it is n o t sh o w n to th e user. ID Serve can also c o n n e c t w ith n o n -w e b servers to receive and re p o rt th a t se rve r's g re e tin g message. This g e n e ra lly reveals th e server's m ake, m o d e l, ve rsio n , and o th e r p o te n tia lly u seful in fo rm a tio n . S im ply by e n te rin g any IP address, ID Serve w ill a tte m p t to d e te rm in e th e a sso cia te d d o m a in nam e.
M o d u le 12 P ag e 1644
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
ID Serve
I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .0 2
ID S e r v e
Background Server Query
P e r s o n a l S e c u r ity F r e e w a r e
b y S te v e G ib s o n
Q&A/Help
Enter or copy ! paste an Internet server URL or IP address here (example: www.microsoft.com): 1 w w w .g o o g le .c o m |
When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server.
Server: gws Content-Length: 221 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Connection: close
The server identified itself as :
(4
Copy
|gw s_________________
Exit
M o d u le 12 P ag e 1645
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
CEH
M irro r a website to create a com plete profile o f the site's d ire cto ry stru cture , files stru cture , external links, etc Search fo r com m ents and o th e r items in the HTML source code to make fo o tp rin tin g activities more efficient Use tools HTTrack, W ebCopier Pro, B lackW idow , etc. to m irro r a website
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMmj log Window Help
P a*g H TM LH e
m h
r
3 2 0 . 2 6 * 8 2nr22 0 8 * t f . 1 9 K B / ) Ac*veconnect!o n e 1 l a v e d W a i c r t B ! F J r c d c d a f e d . 1 4 0 0
til . MyWebSltes Program Files It) *. Program Files MJ6( i 111 lhs til Windows j- -t ; NTUSSR.DAT H local Disk: D. M DVD RWDriv <& :Nw Volume <F
Tiro.
I r a i r f r * e
Erwi
7; M e n * :
Ji
J h ttp : //w w w .h tr o c k .c o m
C o p y rig h t b y EG-GlU IICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
fo o tp rin tin g
m o re
e ffic ie n t. V a rio u s
to o ls u s e d f o r w e b s e rv e r m ir r o r in g in c lu d e H T T ra c k , W e b r ip p e r 2 .0 , W in W S D , W e b c o p ie r , a n d B la c k w id o w .
C
S o u rce : h ttp ://w w w .h ttr a c k .c o m H T T r a c k is a n o f f l i n e b r o w s e r u t i l i t y . I t a l l o w s y o u t o d o w n l o a d a W o r l d W i d e W e b s i t e f r o m t h e I n t e r n e t t o a lo c a l d i r e c t o r y , b u i l d i n g r e c u r s i v e l y a ll d i r e c t o r i e s , g e t t i n g H T M L , im a g e s , a n d o t h e r file s fro m th e se rve r to your c o m p u te r. H T T ra ck a rra n g e s th e o rig in a l s ite 's re la tiv e lin k -
M o d u le 1 2 P a g e 1 6 4 6
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
H
File
B jj 0 j H a B B J. i.
M y W e b S ite s
0 0
El ,
;Back
Next >
Cancel
Help
M o d u le 12 P ag e 1647
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Sniff the network traffic to find out active systems, netw ork services, applications, and vulnerabilities present Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities
Methodology:
Vulnerability
V u ln e ra b ility scanning is a m e th o d o f d e te rm in in g va rio u s v u ln e ra b ilitie s and m is c o n fig u ra tio n s o f a ta rg e t w e b se rve r o r n e tw o rk . V u ln e ra b ility scanning is d o n e w ith th e help o f v a rio u s a u to m a te d to o ls k n o w n as v u ln e ra b le scanners. V u ln e ra b ility scanning a llo w s d e te rm in in g th e v u ln e ra b ilitie s th a t exist in th e w e b se rve r and its c o n fig u ra tio n . Thus, it helps to d e te rm in e w h e th e r th e w e b se rve r is e x p lo ita b le o r n o t. S n iffin g te c h n iq u e s are a d o p te d in th e n e tw o rk tr a ffic to fin d o u t a c tiv e syste m s, n e tw o r k services, a p p lic a tio n s , an d v u ln e ra b ilitie s p re s e n t. Also, a tta c k e rs te s t th e w e b se rve r in fra s tru c tu re fo r any m is c o n fig u ra tio n , o u td a te d c o n te n t, and k n o w n v u ln e ra b ilitie s . V a rio u s to o ls are used fo r v u ln e ra b ility scanning such as HP W e b ln s p e c t, Nessus, Paros proxy, etc. to fin d hosts, services, and v u ln e ra b ilitie s . N essus S ource: h ttp ://w w w .n e s s u s .o rg Nessus is a s e c u rity scanning to o ls th a t scan th e system re m o te ly and re p o rts if it d e te c ts th e v u ln e ra b ilitie s b e fo re th e a tta c k e r a c tu a lly a tta c k s and co m p ro m is e s th e m . Its fiv e fe a tu re s in clud es high-spee d d isco ve ry, c o n fig u ra tio n a u d itin g , asset p ro filin g , se n sitive data discovery, p a tch m a n a g e m e n t in te g ra tio n , and v u ln e ra b ility analysis o f y o u r s e c u rity p o s tu re w ith fe a tu re s
M o d u le 12 P ag e 1648 Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
t h a t e n h a n c e u s a b i l i t y , e f f e c t i v e n e s s , e f f i c i e n c y , a n d c o m m u n i c a t i o n w i t h a ll p a r t s o f y o u r o rg a n iz a tio n .
M o d u le 12 P ag e 1649
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
CEH
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking burp su ite f re e e d itio n v 1 A 0 1
J curp intruder repeater laiget window about s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts
l l W
ig not found items hiding CSS image and gereral aina rr content 1 iS -g .l-e=pcn=e= hiding empty folders http :A leco no mi dim e 5 indiatime s o hltpVJedition cnn 00m 9 host ht*p Aedtar c /8nnr5s1/3<lsj3m cs;
|~param s
.'* 11
headers [ r*x |
? c m
h dc*11
I :
|]
| 0 matches
h ttp : //p o r ts w ig g e r .n e t
C o p y rig h t b y EG -G (U ncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
N o t e : F o r c o m p le t e c o v e r a g e o f S e s s io n H ija c k in g c o n c e p t s a n d te c h n iq u e s r e f e r t o M o d u le 1 1 : S e s s io n H ija c k in g
S e s s io n c o n tro l
h ija c k in g of th e
is
p o s s ib le s e s s io n
once can
th e be
c u rre n t ta k e n
s e s s io n by
of th e
th e
c lie n t
is
id e n tifie d . th e user
C o m p le te
user
over
a tta c k e r
once
e s ta b lis h e s a u t h e n tic a tio n w it h th e s e rv e r. W it h th e h e lp o f s e q u e n c e n u m b e r p re d ic tio n to o ls , a tta c k e rs p e rfo rm th e sequence user s e s s io n of th e h ija c k in g . T h e a tta c k e r , a f t e r id e n t if y in g t h e th e next packet w ith to th e th is and th e n sends th e o p e n s e s s io n , p r e d ic ts p a c k e ts Thus, use b e fo re an th e
d a ta
response In
c o rre c t
sequence you
n u m b e r. can a ls o
a tta c k e r s e s s io n e tc . t o B u rp
s e s s io n
h ija c k in g . such
a d d itio n
te c h n iq u e ,
o th e r
te c h n iq u e s s e s s io n
as s e s s io n ID s.
fix a tio n ,
s e s s io n
s id e ja c k in g ,
c ro s s -s ite
s c rip tin g ,
c a p tu r e v a lid
c o o k ie s a n d
V a rio u s to o ls
u s e d f o r s e s s io n
h ija c k in g
in c lu d e
S u ite , H a m s te r , F ire s h e e p , e tc .
B u r p S u ite
___ S o u r c e : h t t p : / / p o r t s w i g g e r . n e t B u rp S u ite is a n in te g ra te d p la tfo rm fo r p e rfo rm in g to su p p o rt a tta c k s e c u rity te s tin g th e e n tire of w eb a p p lic a tio n s . fro m Its
v a rio u s m a p p in g s e c u rity
to o ls and
w o rk
s e a m le s s ly of an
to g e th e r
te s tin g to
p ro c e s s , fin d in g
in itia l
a n a ly s is
s u rfa c e , S u ite
th ro u g h in c lu d e
and
e x p lo itin g in tru d e r
v u ln e ra b ilitie s . T h e
c o m p o n e n ts
o f B u rp
p ro x y ,
sca n n e r,
t o o l, r e p e a te r t o o l, s e q u e n c e r t o o l, e tc .
M o d u le 1 2 P a g e 1 6 5 0
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
b u r p s u it e f r e e e d i t i o n v 1 .4 .0 1
b u rp ta rg e t s ite m a p in tru d e r r e p e a te r s p id e r w in d o w about [ in tr u d e r | re p e a te r [ s e q u e n c e r | decoder [ c o m p a re r [ o p tio n s | a le rts
0-
\ scanner
\ scope
Filter;
9
method
GET
URL
/ e le m e n t/s s i/a d s .ifr a m e s /
p a ra m s
s ta tu s
200
676
O - CDBU
O - D cn 0 E L I
0 O
eu
M ' ]
p a ra m s
T / . e l e r o e n c / 3 3 i / i n c l / b r e a k i n g _ n e v s / 3 . O /b a n n e r . h c m l? c s i I D = c s i i T P /1 .1
3c: ed ic io n .c n n .c o m e r - A g e n c : H o z i l l a / 5 . 0 ( W i n d o w s NT 6 . 2 ; WOW64; c v : i 5 . 0 ) cko/2 0 1 0 0 1 0 1 F i r e f o x / 1 5 .0 .1 A ccepc: c e x c / j a v a a c r lp c , c e x c/h cro l, a p p llc a C lo n /x m l, c e x c /x m l.
* LJ SH
s a v e s e le c te d Ite m s
M o d u le 12 P ag e 1651
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
1~ I
Target
|10.0017|
Connection Options Connections * " J~ HTTP (Basic) Options Method | HEAD ]J W KeepAive 10 Timeout 1 " jr Use Proxy Define
Authentication Options W Use Username User File users txt Sngle User Browse | Pass Mode |Word List File |words.txt
Positrve Authentication Results Target 10.0 0 1 7 / 10.0 0 1 7 / _U ype HTTP (Basic Auth) HTTP (Basic Auth) I Username admin backup I Password academic
Located and nstaled 1 authentication plugnns Imtialisng... Target 10.0 0 1 7 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Maxrrtum number ot authentication attempts wJ be 4908 Engagng target 10.0.017 with HTTP (Basic Auth)
T n irwi irofrt am o
Timeout
Reject
Auth Seq
h ttp : //w w w .h o o b ie .n e t
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
B ru tus is an o n lin e o r re m o te p assw ord cracking to o ls . A tta c k e rs use th is to o l fo r hacking w e b p assw ords w ith o u t th e k n o w le d g e o f th e v ic tim . The fe a tu re s o f th e B rutus to o l are been e xp la in e d b rie fly on th e fo llo w in g slide.
M o d u le 12 P ag e 1652
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
r U se P roxy D efine
A uthentication O ptions U se U sernam e I - Single U ser U ser F ile users.txt PositiveA uthentication R esults T arget
10.0.0.17/
Pass M ode f B row se Pass F ile U sernam e adm in backup Passw ord academ ic B row se
10.0.0.17/
Type
T rmn 1
Located and installed 1authentication plug-ins In itialising... Target 10.0.0.17 verified O pened user filecontaining 6users. O pened passw ord filecontaining 818 Passw ords. M axim umnum ber of authentication attem pts w ill be 4908 E ngaging target 10.0.0.17 w ithH T T P(B asicA uth)
arJrr.1
a
-
T im eout
M o d u le 12 P ag e 1653
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le Flow
CEH
Module Flow
The to o ls in te n d e d fo r m o n ito rin g and m anaging th e w e b se rve r can also be used by a tta c k e rs fo r m a lic io u s purposes. In th is day and age, a tta cke rs are im p le m e n tin g va rio u s m e th o d s to hack w e b servers. A tta c k e rs w ith m in im a l kn o w le d g e a b o u t hacking usually use s fo r hacking w e b servers.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y
0
W e b s e rv e r Pen T e s tin g W e b s e r v e r S e c u rity T o o ls
o m m
C o u n te r-m e a s u re s
- y
P a tch M a n a g e m e n t
M o d u le 12 P ag e 1 6 5 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
(J)m me etasplo t it
fe V ModutM Tag* Q Atporto T a li 0
m
Target S y ilt tn Statu O ptrabng Sy*trm (Top )
MOkom * * 4 IS m d
UM cm o lW M o M
Mm MKnaPnw
I1 0 0 M
n usnus(Bvv^
C o m p le te
p e n e tra tio n
le ve ra g in g m u lti-le v e l attacks
M o d u le 12 P ag e 1655
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
0 0 0
T e s t w it h t h e w o r ld 's la rg e s t p u b lic d a ta b a s e o f q u a lity a s s u re d e x p lo its T u n n e l a n y tra ffic th ro u g h c o m p ro m is e d ta rg e ts to p iv o t d e e p e r in to th e n e tw o r k C o lla b o ra te m o r e e ffe c tiv e ly w ith te a m m e m b e r s in c o n c e r t e d n e t w o r k t e s t s
C u s to m iz e th e c o n t e n t a n d t e m p la t e o f e x e c u tiv e , a u d it, a n d te c h n ic a l re p o r ts
( J m e ta s p lo it
lMlpnO
L S*M*oW 0
V Ctfnpognt
T ag*
R e p o rt!
TmJ Q
M D n c o w fM
1 *L O O M )
l MM
2^0!0ffn tw O O cO
1 HP *rC*O0*0
2 Konca P m t t
1X4SM 6S tokt*
M o d u le 1 2 P a g e 1 6 5 6
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Metasploit Architecture
CEH
Crt1fW 4 Itil 1 (4 1 Nm Im
Rex Custom plug-ins ^ : Interfaces mfsconsole msfcli msfweb msfwx msfapi Framework-Core Framework-Base A ^ k" Protocol Tools
K
Security Tools Web Services Integration
Modules
Metasploit Architecture
The M e ta s p lo it fra m e w o rk is an o p e n -so u rce e x p lo ita tio n fra m e w o rk th a t is designed to p ro v id e s e c u rity researchers and pen te s te rs w ith a u n ifo rm m o d e l fo r ra p id d e v e lo p m e n t o f e x p lo its , payloads, e nco de rs, NOP g e n e ra to rs , and reconnaissance to o ls . The fra m e w o rk p ro v id e s th e a b ility to reuse large chunks o f code th a t w o u ld o th e rw is e have to be co pied o r re im p le m e n te d on a p e r-e x p lo it basis. The fr a m e w o r k w a s d e sig n e d to be as m o d u la r as p o s s ib le in o rd e r to e n c o u ra g e th e reuse o f code across v a rio u s p ro je c ts . The fra m e w o rk its e lf is b ro k e n d o w n in to a fe w d iffe r e n t pieces, th e m o s t lo w -le v e l being th e fra m e w o rk core. The fra m e w o rk co re is re sp o n sib le fo r im p le m e n tin g all o f th e re q u ire d in te rfa c e s th a t a llo w fo r in te ra c tin g w ith e x p lo it m o d u le s , sessions, and plugins. It s u p p o rts v u ln e ra b ility research, e x p lo it d e v e lo p m e n t, and th e c re a tio n o f cu sto m s e c u rity to o ls.
M o d u le 12 P ag e 1657
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A
C u s to m p lu g -in s <
Libraries
Rex
P r o t o c o l T o o ls
M o d u le s
m fs c o n s o le
E x p lo its S e c u r it y T o o ls P a y lo a d s W e b S e rv ic e s
m s fc li
m s fw e b
E n co d e rs In te g ra tio n NOPS
m s fw x
m s fa p i
A u x ilia ry
M o d u le 12 P ag e 1658
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
Selecting a Target
&
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
C o n fig u rin g A c tiv e E xplo it V e rify in g th e E xp lo it O p tio n s S electing a T a rg et S electing th e Payload Launching th e E xplo it
M o d u le 12 P ag e 1659
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
9S
C om m and P rom pt
w in d o w s /s h e ll_ r e v e r s e _ tc p > g e n e ra te -h
m sf > use
G e n e r a te s a p a y lo a d .
The The
lis t n am e
o f c h a r a c te r sto of
a v o id :
, \x 0 0 \x ff' u se.
t h e e n c o d e r m o d u le t o
H e lp b a n n e r . lis t o f o p tio n s in
- o < o p t > A comma s e p a r a t e d VAR=VAL f o r m a t . -s -t < o p t> < o p t> NOP The s le d
le n g t h . p e r i, c , or raw .
o u tp u t t y p e : ru b y , tcp ) >
m sf p a y lo a d ( s h e l l r e v e r s e
scree nsh ots, and c o lle c t pa ssw ord hashes. You can even ta ke o v e r th e screen, m ouse, and k e y b o a rd to fu lly c o n tro l th e c o m p u te r. To g e n e ra te payloads, fir s t se le ct a p ayload using th e c o m m a n d :
M o d u le 12
Page 1660
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Com m and
P ro m p t
tc p > g e n e ra te -h
G e n e ra te s a p a y lo a d .
O P T IO N S :
The l i s t o f c h a r a c te r s T he nam eo f t h e e n c o d e r m o d u le t o
to u se.
a v o id :, \x 0 0 \ x f f '
- h H e lp b a n n e r . - o < o p t > A com m a s e p a r a t e d VAR=VAL f o r m a t . - s < o p t> -t < o p t> NOP s l e d le n g th . ru b y , tc p ) > p e ri, c, o r ra w . l i s t o f o p tio n s in
The o u tp u t ty p e :
m sf p a y lo a d ( s h e l l r e v e r s e
M o d u le 12 P ag e 1661
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
M etasploit's auxiliary m odules can be used to p erform arb itra ry , oneoff actions such as port scanning, denial of service, and even fuzzing To run auxiliary m odule, eith er use th e r u n com m and, o r use th e e x p l o i t com m and
C om m and P ro m p t
msf > use dos/windows/smb/ms06_035_mailslot msf auxiliary(ms06_035_mailslot) > set RHOST 1.2.3.4 RHOST => 1.2.3.4 msf auxiliary(ms06_035_mailslot) > run [*] Mangling the kernel, two bytes at a time...
M o d u le 12 P ag e 1662
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Crt1fW 4 itfciul Nm Im
com m and to generate a NOP sled o f an arbitrary size and display it in a given form at
T o g e n e r a t e a 5 0 b y t e N O P s le d t h a t is d is p la y e d a s a C - s ty le b u f f e r , r u n t h e f o l l o w i n g c o m m a n d :
&
Command Prompt
m s f n o p (o p ty 2 ) > g e n e ra te - t c 50 u n s ig n e d c h a r b u f [ ]
o p t io n s :
-b < o p t> -h -s < o p t > -t < o p t> T h e lis t o f c h a r a c t e r s t o a v o id : ? \ x 0 0 \ x f f ? H e lp b a n n e r. T he c o m m a s e p a ra te d T he o u tp u t ty p e : ru b y, lis t o f r e g is te r s t o sa ve . p e r i, c, o r r a w .
G e n e r a te s a N O P s le d o f a g iv e n le n g th
M o d u le 12 P ag e 1663
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
To
g e n e ra te
5 0 -b y te
NOP
s le d
th a t
is
d is p la y e d
as
Cs ty le
b u ffe r,
run
th e
fo llo w in g
com m and:
m sf n o p (o p ty 2 )
> g e n e ra te =
-t
c 50
u n sig n e d c h a r b u f[]
"\x f5 \x 3 d \x 0 5 \x l5 \x f8 \x 6 7 \x b a \x 7 d \x 0 8 \x d 6 \x 6 6 \x 9 f \x b 8 \x 2 d \x b 6 " "\x 2 4 \x b e \x b l\x 3 f\x 4 3 \x ld \x 9 3 \x b 2 \x 3 7 \x 3 5 \x 8 4 \x d 5 \x l4 \x 4 0 \x b 4 " "\x b 3 \x 4 1 \x b 9 \x 4 8 \x 0 4 \x 9 9 \x 4 6 \x a 9 \x b 0 \x b 7 \x 2 f\x fd \x 9 6 \x 4 a \x 9 8 " "\x 9 2 \x b 5 \x d 4 \x 4 f\x 9 1 "; m sf n o p (o p ty 2 ) >
M o d u le 12 P ag e 1664
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
w fe ic fi - w te tc n i
F ile E d it V ie wW in d o wH elp
f l
Verb: [GET Path Y Authentcation fifth. Qoirah. Anonymous -d ComecfcOT Cornsct Qphcr Gent ceil: Popw d: *d aJt l_ C 0 J !race P Rx | host [localHost
Pc5y
P Reu
Log Output [Last Status: 500 Internal Server Error; > started.... O Puny: WWWConnecfcCtose(",* closed source port: 7 i9 8 \r\n k'VWWConnectiConnectl 'locaihost '8 0')\n
Q lPa"|;;1].80"\n
M o d u le 12 P ag e 1665
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
w fetch W fetchl
1 le d!t yiew Window Help
i)
&
Wfetchl
A d v a n c e d R equest
SS
Disabled ) {^r fom H e
G o' |
Host |k>cax>st
j . j E o r t |d rfa j - J V c r |1 1 2 \
C o n n e ctio n C onnect C ipher C k e n tc e rt r P ro jy h ttp d e fa u l none tg p ro x y ^80 ^ J 2 I - ] _>J Tran s o -------R? Raw
C om an | U se r |
r S ocke t
P R euse
P a js w d |
O Proxy; WWWConnect::Close( ,"80")\n closed source port 7398\r\n 4 ) WWWConnect::ConnectClo<alhost".8<r)\n 0 >= ]::1[:80 \n
Ready
NUM
M o d u le 12 P ag e 1666
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 12 P ag e 1667
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H ighly c u s to m iz a b le a u th e n tic a tio n sequences Load and re sum e p o s itio n Im p o rt and E xpo rt c u s to m a u th e n tic a tio n ty p e s as BAD file s seam lessly SOCKS p ro x y s u p p o rt fo r all a u th e n tic a tio n typ e s User and passw ord list g e n e ra tio n and m a n ip u la tio n fu n c tio n a lity HTM L Form in te rp re ta tio n fo r HTM L Form /C G I a u th e n tic a tio n typ e s E rror h a n d lin g and re c o v e ry c a p a b ility inc. resum e a fte r c ra s h /fa ilu re
Brutus - AET2 www.hoobie.net/brutus - (January 2000)
Eile Iools Help
Target [10001 ^ Connection Options Port [80 Connections *0
(
I 1 .
Start
Clear
Trneout
r j
10
U**Ptoxy
Drinc |
]]
&
Ke^pAWe
Use Username
User Fte ]users txt Positive Authentication Resiits Target 100017/ 100017/
Password academic
Located and installed 1 authentication ptug-ns Initiafcng Target 10.0.0.17 verified Opened user file contarmg 6 users Opened password file containing 818 Passwords Maximum number of authentication attempts w i be 4906 Engagng target 10.0.0.17 with HTTP (Basic Auth) Tm w s< 11 w iw Throttle
M o d u le 12 P ag e 1668
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
Urt1fw4 ilhiul lUtbM
SingleTarget
Q Target List
xH ydra B ' Target Passwords Tuning Specific Start Output H ydrav7.1 (c)2011 by vanHauser/THC& D avid Maciejak- for legal purposes J
H ydra (http://www.thc.org/thc hydra) startingat 2012-10-2117:01:09 [D E B U G ] cmdline:/usr/bin/hydra-S -v-V-d-I Administrator-P/home/ V D es [D A TA ] 4 tasks, 1server, 4 login tries (l:1/p:4), ~ 1 try per task [D A TA ) attackingservice rdp on port 3389 [V E R B O S E ]R esolvingaddresses... [D E B U G ] resolving 192.168.168.1 done [D E B U G ]C ode: attack Tim e: 13S 0819069 [D E B U G ]O ptions: mode 1 ssl 1 restore 0 showAttempt 1 tasks 4 maxjjse* [D E B U G ]D rains: active 0 targets 1 finished 0 todo_all4 todo4 seotO founc [D E B U G ] TargetO-target 192.168.168.1 ip 192 168.168.1 login_nowpass_nc [debug] T ask 0*pld 0 active 0 redo 0 current_logln_ptr (null) current.pass. [D E B U G ] Task 1 pidO active 0 rcdoO currcnt_login_ptr (null) currentj>ass_ [D E B U G J Task 2pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ [debug] T ask 3pld 0 active 0 redo 0 current_logln_ptr (null) current_pass_ [W AR N IN G ] rdp servers often don't like m any connections, use-t 1or -t 4to r [V E R B O S E ^ More tasks defined than login/pass pairs exist. Tasksreduced to [D E B U G ] head_no[0] active 0 [D E B U G J child 0got target 0selected [D E B U G ] headnofi] active 0 Start Stop !SaveOutput C lear Output hydra -S v-V d -I Administrator -P/home/ Desktop/pass 116192.16...
C Prefer IPV6
Port Protocol Output Options rdp
& UseS S L
[B eVerbose
0 ShowAttempts
D ebug
TH C-Hydra is used to check fo r w e a k passw ords. This to o l is a b ru te fo rc e to o l th a t is used by a tta c k e rs as w e ll as a d m in is tra to rs . Hydra can a u to m a tic a lly crack e m a il p a s sw o rd s an d gain access to ro u te rs , W in d o w s system s, and te ln e t o r SSH p ro te c te d servers. It is a v e ry fa st n e tw o rk log o n c ra cke r th a t s u p p o rts m any d iffe re n t services.
M o d u le 12 P ag e 1669
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
O O T arget Target
192.168.168.1
rdp
hydra -S -v -V -d -I A d m in istrato r -P /h o m e /
/D e sk to p /p a ss -t 16192.16.
o e < ;
Target
O utput Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak for legal p u rp o ses
Hydra (http://w w w .thc.org/thc-hydra) startin g a t 2012-10-21 17:01:09 [DEBUG] cm dline:/usr/bin/hydra -S-v-V -d -I A d m in istra to r-P /h o m e / 7Des [DATA] 4 task s, 1 server, 4 login tries (l:1/p:4), ~1 try p er task [DATA] attacking service rdp on p o rt 3389 [VERBOSE] Resolving a d d r e s s e s ... [DEBUG] resolving 192.168.168.1 done [DEBUG] Code: a tta c k Time: 1350819069 [DEBUG] O ptions: m o d e 1 ssl 1 re s to re 0 sh ow A ttem pt 1 task s 4 m ax_use < [DEBUG] Brains: active 0 ta rg e ts 1 finished 0 to d o _ all4 to d o 4 sentO founc [DEBUG] Target 0 - ta rg e t 192.168.168.1 ip 192.168.168.1 lo g in n o & p a s s n c [DEBUG] Task 0 -p id 0 active 0 redoO current_login_ptr (null) current_pass_ [DEBUG]Task 1 -p id 0 a c tiv e 0 redoO current_login_ptr(null) current_pass [DEBUG]Task2 -pidO a c tiv e 0 redoO current_login_ptr(null) current_pass_ [DEBUG]Task3 -p id 0 a c tiv e 0 redoO current_login_ptr(null) current_pass [WARNING] rdp servers o ften d o n 't like many connections, use -t 1 o r -t 4 to r [VERBOSE] M ore task s defined than login/pass pairs exist. Tasks reduced to [DEBUG] head_no[0] active 0 [DEBUG] child 0 go t ta rg e t 0 selected [DEBUG] head_no[1] active 0
D e sk to p /p a ss-t 16 192.16...
F ig u re 1 2 .2 8 : T H C -H y d ra S c r e e n s h o t
M o d u le 12 P ag e 1670
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
EH
Internet Password Recovery Toolbox recovers p assw o rd s for Internet brow sers, email clients, instant m essengers, FTP clients, netw ork and dial-up accounts
http;//www.rixlercom
M o d u le 12 P ag e 1671
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
CE H
o d u l e
F l o w
c o m p o n e n ts fo r p ro te c tin g a n d s a fe g u a rd in g th e w e b s e rv e r a g a in s t w e b s e rv e r in tru s io n s .
W e b s e rv e r C o n c e p ts
W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y
W e b s e rv e r A tta c k T o o ls
W e b s e rv e r Pen T e s tin g
^ __ ^
W e b s e r v e r S e c u rity T o o ls
P a tch M a n a g e m e n t
C o u n te r-m e a s u re s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T h is s e c t i o n h i g h l i g h t s w e b s e r v e r c o u n t e r m e a s u r e s t h a t p r o t e c t w e b s e r v e r s a g a i n s t v a r i o u s a tta c k s .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Urt1fw4 ilhiul lUtbM
Before applying any service pack, hotfix, or security patch, read and peer review all relevant documentation
Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production
Ensure tha t service packs, hotfixes, and security patch levels are consistent on all Dom ain C ontrollers (DCs)
Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available
Have a back-out plan th a t allows the system and enterprise to return to th e ir original state, p rio r to th e failed im ple m en tation
Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than tw o service packs behind
o u n t e r m
e a s u r e s :
P a t c h e s
a n d
U p d a t e s
T h e f o llo w in g a re a f e w c o u n te r m e a s u r e s t h a t can be a d o p t e d t o p r o t e c t w e b s e rv e rs a g a in s t v a rio u s h a c k in g te c h n iq u e s : Scan f o r e x is tin g v u ln e r a b ilit ie s a n d p a tc h a n d u p d a te t h e s e r v e r s o f t w a r e re g u la rly . A p p l y all u p d a t e s , r e g a r d l e s s o f t h e i r t y p e , o n a n " a s - n e e d e d " ba s is . E nsure t h a t s e rv ic e packs, h o tfix e s , and s e c u rity p a tc h le v e ls a re c o n s is te n t o n all
c o m p le te set
t h e ir o rig in a l
B e f o r e a p p l y i n g a n y s e r v i c e p a c k , h o t f i x , o r s e c u r i t y p a t c h , r e a d a n d p e e r r e v i e w all re le v a n t d o c u m e n ta tio n .
E nsure t h a t s e rv e r o u ta g e s a re s c h e d u le d a n d a c o m p le te e m e r g e n c y r e p a i r d is k s a r e a v a i l a b l e .
s e t o f b a c k u p ta p e s and
S c h e d u l e p e r i o d i c s e r v i c e p a c k u p g r a d e s as p a r t o f o p e r a t i o n s m a i n t e n a n c e a n d n e v e r t r y t o h a v e m o r e th a n t w o s e rv ic e packs b e h in d .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n te rm e a s u re s : P ro to co ls
C EH
(itifwd 1 ItlMUl IlMhM
Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB
Harden th e TCP/IP stack and consistently apply th e latest softw a re patches and updates to system softw a re
If using insecure protocols such as Telnet, POP3, SMTP, FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies
S If remote access is needed, make sure tha t the remote connection is secured properly, by using tunneling and encryption protocols
o u n t e r m
e a s u r e s :
P r o t o c o l s
The
fo llo w in g
a re
th e
som e
m easures
th a t
s h o u ld
be
a p p lie d
to
th e
re s p e c tiv e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n te rm e a s u re s : A cco u n ts
Remove all unused modules and application extensions
CEH
Disable unused default user accounts created during installation of an operating system
When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content Eliminate unnecessary database users and stored procedures and follow the principle of least privilege for the database application to defend against SQL query poisoning Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization Slow down brute force and dictionary attacks w ith strong password policies, and then audit and alert for logon failures Run processes using least privileged accounts as well as least privileged service and user accounts
! 1 1
o u n t e r m
e a s u r e s :
A c c o u n t s
111------------------J i l
T h e f o l l o w i n g is t h e lis t o f a c c o u n t c o u n t e r m e a s u r e s f o r h a c k i n g w e b s e r v e r s :
U se s e c u r e w e b
p e r m i s s i o n s , NTFS p e r m i s s i o n s , a n d .N E T F r a m e w o r k a c c e s s c o n t r o l
m e c h a n i s m s i n c l u d i n g URL a u t h o r i z a t i o n . S l o w d o w n b r u t e f o r c e a n d d i c t i o n a r y a t t a c k s w i t h s t r o n g p a s s w o r d p o l ic i e s , a n d t h e n a u d it a n d a le r t f o r lo g o n fa ilu re s . Q R u n p r o c e s s e s u s i n g l e a s t p r i v i l e g e d a c c o u n t s as w e l l as l e a s t p r i v i l e g e d s e r v i c e a n d u s e r a c c o u n ts .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
c EH
tertMM tt*H4i Nath*
Eliminate the presence o f non w eb Eliminate sensitive c on figura tion info rm atio n w ith in the byte code files such as archive files, backup files, te xt files, and header/include files
Avoid mapping v irtu a l dire ctorie s betw een tw o d iffe re n t servers, o r over a netw ork
M onitor and check all network services logs, website access logs, database server logs (e.g., Microsoft SQL Server, MySQL, Oracle) and OS logs frequently
Ensure the presence of web application or website files and scripts on a separate partition or drive other than that of the operating system, logs, and any other system files
o u n t e r m
e a s u r e s :
F i l e s
a n d
i r e c t o r i e s
T h e f o l l o w i n g is t h e lis t o f a c t i o n s t h a t s h o u l d b e t a k e n a g a i n s t f i l e s a n d d i r e c t o r i e s in
o r d e r t o p r o t e c t w e b s e rv e rs f r o m h a c k in g : Q E lim in a te u n n e c e s s a r y file s w i t h i n . j a r file s . E lim in a te s e n s itiv e c o n fig u r a t io n i n f o r m a t i o n w it h in th e b y te c o d e . A v o id m a p p in g v ir tu a l d ir e c to r ie s b e tw e e n t w o d if f e r e n t s e rv e rs o r o v e r a n e tw o r k . M o n i t o r a n d c h e c k all n e t w o r k s e r v i c e s lo g s , w e b s i t e a c c e s s lo g s , d a t a b a s e s e r v e r lo g s (e .g ., M i c r o s o f t SQL S e r v e r , M y S Q L , O r a c le ) , a n d OS lo g s f r e q u e n t l y . D is a b l e s e r v i n g o f d i r e c t o r y lis t in g s . E l i m i n a t e t h e p r e s e n c e o f n o n - w e b f i l e s s u c h as a r c h i v e file s , b a c k u p fil e s , t e x t f i l e s , a n d h e a d e r / in c l u d e file s . D is a b l e s e r v i n g c e r t a i n f i l e t y p e s b y c r e a t i n g a r e s o u r c e m a p p i n g E nsure th e p re se n ce o f w e b a p p lic a tio n o r w e b s ite file s a n d s c rip ts o n a s e p a ra te
p a r t i t i o n o r d r i v e o t h e r t h a n t h a t o f t h e o p e r a t i n g s y s t e m , lo g s , a n d a n y o t h e r s y s t e m file s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Audit the ports on server regularly to ensure that an insecure or unnecessary service is not active on your web server
Ensure that certificate data ranges are valid and that certificates are used for their intended purpose
S Ensure that the certificate has not been revoked and certificated public key is valid all the way to a trusted root authority
S Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed S Ensure that tracing is disabled ctrace enable=false"/> and debug compiles are turned off s Implement secure coding practices to avoid source code disclosure and input validation attack Restrict code access security policy settings to ensure that code downloaded from the Internet or Intranet have no permissions to execute Configure IIS to reject URLs with to prevent path traversal, lock down system commands and utilities with restrictive access control lists (ACLs), and install new patches and updates
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
rr m n
P o r ts
m i
A u d it
th e
p o rts
on
th e
se rve r
re g u la rly
to
ensu re
th a t
an
in s e c u re
or
5L
S e r v e r
C e r tific a t e s
E nsure t h a t c e rtific a te d a ta in te n d e d p u rp o se .
ra n g e s a re v a lid a n d t h a t c e r t if ic a t e s a re use d f o r t h e i r
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
a c h in e .c o n f ig
Ensure t h a t tra c in g is disabled c tra c e e n a b le = " fa ls e " /> and d e bug com p ile s are tu rn e d off.
C o d e
A c c e s s
S e c u r ity
I m p le m e n t secure coding practices to avoid source code disclosure and in p u t v a lid a tio n attack.
R estrict co d e access s e c u rity p o lic y settings t o ensure t h a t code d o w n lo a d e d f r o m th e In te r n e t o r in tr a n e t has no perm issions to execute.
c o m m a n d s and u tilitie s w it h re stric tive access c o n tro l lists (ACLs), and install n e w
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Use th e IIS Lockdow n to o l, w h ic h re du ce s th e v u ln e ra b ility o f a W in d o w s 2 000 W e b s e rv e r. It a llo w s yo u to p ick a sp e c ific ty p e o f s e rv e r ro le , a nd th e n use c u s to m te m p la te s to im p ro v e s e c u rity fo r th a t p a rtic u la r se rv e r
IIS Lockdow n in stalls th e URLScan ISAPI filte r a llo w in g w e b s ite a d m in is tra to rs to re s tric t th e kind o f HTTP re q u e s ts th a t th e s e rv e r can p rocess, based o n a s e t o f ru le s th e a d m in is tra to r c o n tro ls , p re v e n tin g p o te n tia lly h a r m fu l re q u e s ts fro m re a c h in g th e s e rv e r a nd causing d am age
D isable th e se rvice s ru n n in g w ith le a s t-p riv ile g e d a cc o u n ts D isable FTP, SMTP, and NNTP se rvice s if n o t re q u ire d D isable th e T e ln e t se rvice
&
S w itch o f f all u nn e ce ssary se rvice s a nd d isa b le th e m , so th a t n e x t tim e w h e n th e s e rv e r is re b o o te d , th e y are n o t s ta rte d a u to m a tic a lly . This also gives an e xtra b o o s t to y o u r s e rv e r p e rfo rm a n c e s , by fre e in g so m e h a rd w a re resources
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
( C
o n t d )
'
I I S L o c k d o w n
IISLockdown restricts a n o n y m o u s access t o system u tilities, as w ell as having th e a b ility t o w r i t e t o w e b c o n te n t dire cto rie s. To do this, IISLockdown creates t w o n e w local g roups called w e b a n o n y m o u s users and w e b applicatio ns, and th e n it adds de n y access c o n tr o l e n tr ie s (ACEs) f o r th e s e g ro u p s t o th e access c o n tr o l list (ACL) on key u tilitie s and direc tories. Next, IISLockdown adds th e d e fa u lt a n o n y m o u s In te r n e t user a ccount (IUSR_MACHINE) t o W e b A n o n y m o u s Users and th e IW A M _M A C H IN E a c c o u n t to W e b A p p lic a tio n s. It disables W e b installs th e URLScan ISAPI f ilte r . D is trib u te d A u th o rin g and V ersio n in g (W ebD av) and
Use th e IISLockdown to o l, w h ic h reduces th e v u ln e r a b ility o f a W in d o w s 2000 w e b server. It allow s you t o pick a specific ty p e o f server role, and th e n use c u s to m te m p la te s t o im p ro v e se c u rity fo r t h a t p a rtic u la r server.
IISLockdown installs th e URLScan ISAPI filte r, a llo w in g w e b s ite a d m in is tr a to r s to re s tric t th e kind o f HTTP requests t h a t th e server can process, based on a set o f rules th e a d m in is t r a to r co n tro ls, p r e v e n tin g p o te n tia lly h a rm fu l requests f r o m reaching th e server and causing dam age.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S e r v ic e s
Q Q 0
Disable th e services ru n n in g w it h least-privileged accounts. Disable FTP, SMTP, an d NNTP services if n o t req u ire d . Disable T e ln e t service. Switch o f f all unnecessary services and disable th e m , so th a t th e n ext tim e th e server is re b o o te d , th e y are n o t s ta rte d a u to m a tic a lly . This also gives an extra boo s t t o y o u r server p e rfo rm a n c e , by fr e e in g som e h a rd w a re resources.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
Shares
R e m o v e a ll u n n e c e s s a ry file sh ares in c lu d in g th e d e f a u lt a d m in is tr a tio n s h a re s if th e y a re n o t re q u ire d S ecu re t h e sh a re s w it h re s tric te d NTFS p e rm is s io n s
Script Mappings
Remove all unnecessary IIS s cript m appings fo r optional file extensions to avoid exploiting any bugs in th e ISAPI extensions th a t handle these types o f files
IIS Metabase
E nsu re t h a t s e c u rity re la te d s e ttin g s a re c o n fig u r e d a p p r o p r ia te ly a n d access t o th e m e ta b a s e file is re s tric te d w it h h a rd e n e d NTFS p e rm is s io n s R e s tric t b a n n e r in f o r m a t io n re tu r n e d b y IIS
ISAPI Filters
R e m o v e u n n e c e s s a ry ISAPI filte rs fro m th e W e bserver
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
( C
o n t d )
R e g is try
A p p ly re s tr ic te d ACLs and block r e m o te registry a d m in is tra tio n . Secure th e SAM (Stand-alone Servers Only).
S h a re
Remove all unnecessary file shares inc luding th e d e fa u lt a d m in is tr a tio n shares if th e y are n o t req u ire d .
IIS M e t a b a s e
Ensure t h a t s e c u rity -re la te d settings are c o n fig u re d a p p ro p r ia te ly and access to th e m etabas e file is re s tric te d w it h h a rd e n e d NTFS perm issions.
A u d it in g a n d L o g g in g
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S c rip t M a p p in g s
Rem ove all unnecessary IIS script m appings fo r o p tio n a l file extensions t o avoid e x p lo itin g any bugs in th e ISAPI e x tension s t h a t handle these ty pes o f file.
S ite s a n d V ir t u a l D ir e c t o r ie s
Relocate sites and v irtu a l d ire c to rie s t o n o n -sy ste m p a r titio n s and use IIS W e b perm issions t o re s tric t access.
IS A P I F ilte r s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
th e W ebserver m a c h in e '
Do not connect an IIS Server to the Internet in a se cure m a ch in e ro o m 1 until it is fully hardened
Do p h ysica lly p ro te c t 1
D o n o t a llo w a n y o n e t o lo c a lly lo g o n t o th e m a c h in e e x c e p t f o r th e a d m in is tr a to r
Use security tools provided w ith web server software and scanners that automate and make the process of securing a web server easy
Limit the server functionality in order to support the web I technologies that are L going to be used
H 1111
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
( C
o n t d )
kinds o f attacks: Create URL m a p p in g s t o in te rn a l servers cautiously. If a database server such as M ic r o s o ft SQL Server is t o be used as a backend database, install it on a separate server. Do use a d e d ic a te d m achine as a w e b server. D o n 't install th e IIS server on a d o m a in c o n tro lle r. Use server-side session ID tra c k in g and m a tc h c o n n e c tio n w i t h tim e stam ps, IP address, etc. Use se cu rity to o ls p ro v id e d w it h th e w e b s e rv e r an d scanners t h a t a u to m a te and make th e process o f securing a w e b server easy.
Screen and f i l t e r th e in c o m in g tr a ffic request. Do physically p r o te c t th e w e b server m ach in e in a secure m ac h in e ro o m . Do c o n fig u re a separate a n o n y m o u s user a c c o u n t f o r each a p p lica tio n , if you host m u ltip le w e b applicatio ns.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H o w
to
D e f e n d a n d W
a g a in s t e b
H T T P
R e s p o n s e
S p lit t in g
C a c h e
P o is o n in g
EH
S e rv e r A d m in Use latest web server software Regularly update/patch OS and Webserver Run web Vulnerability Scanner
A p p lic a t io n D e v e lo p e rs 9 Restrict web application access to unique Ips Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters Comply to RFC 2616 specifications for HTTP/1.1
P ro x y S e rv e rs Avoid sharing incoming TCP connections among different clients a Use different TCP connections with the proxy for different virtual hosts
H W
o w e b
t o
e f e n d
a g a i n s t
H T T P
R e s p o n s e
S p l i t t i n g
a n d
C a c h e
P o i s o n i n g
P ro x y S e rve rs A v o id s h a rin g in c o m in g TCP c o n n e c tio n s a m o n g d if f e r e n t c lie n ts U se d iffe r e n t TCP c o n n e c tio n s w ith th e p ro x y fo r d iffe r e n t v irtu a l h o s ts Im p le m e n t " m a in ta in re q u e s t h o s t h e a d e r" c o rre c tly
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
CEH
o d u l e
F l o w
We b s e r v e r C o n c e p t s
W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y \
W e b s e r v e r A t t a c k T o o ls
W e b s e r v e r P en T e s tin g
W e b s e r v e r S e c u rity T o o ls
P a tch M a n a g e m e n t
C o u n te r-m e a s u re s
T h is s e c tio n
d e s c rib e s p a tc h
b u g s in t h e
w e b s e r v e r s in o r d e r t o p r o t e c t t h e m f r o m
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P a tc h e s a n d H o tfix e s
A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the usability or performance of a computer program or its supporting data A patch can be considered as a repair job to a programming problem
C EH
Urtiffetf itkNjI lUilwt
Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer organization
Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack
P a t c h e s
a n d
H o t f i x e s used to m a k e c h a n g e s in t h e s o f t w a r e in s ta lle d o n a c o m p u te r .
A p a t c h is a p r o g r a m
P a tc h e s a re u s e d t o fix b u g s , t o a d d re s s t h e s e c u rity p r o b le m s , t o a d d fu n c t io n a lit y , e tc . A p a tc h is a s m a l l p i e c e im p ro v e th e o f s o ftw a re d e s ig n e d to fix p r o b le m s , s e c u rity v u ln e ra b ilitie s , a n d o r its s u p p o r t i n g bugs and
u s a b ility o r p e r fo r m a n c e
o f a c o m p u te r p ro g ra m
d a ta . A p a tc h
o rg a n iz a tio n . U se rs m a y b e n o tifie d th r o u g h
a re s o m e t im e s p a c k a g e d as a s e t o f fix e s c a lle d a c o m b in e d h o t f ix o r s e rv ic e p a c k .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W h a t Is P a tc h M a n a g e m e n t?
J
CEH
"Patch m an ag em en t is a process used to en su re th a t th e a p p ro p ria te p atch e s are installed on a system and help fix known vulnerabilities"
An a u to m a te d patch m a n a g e m e n t process:
Deploy: Deploy the patch to the computers and make sure the applications are not affected
Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision
Test: Install the patch first on a testing machine to verify the consequences of the update
h a t
I s
P a t c h
a n a g e m
e n t ?
v -
A c c o rd in g to
m a n a g e m e n t is
C h o o s in g , v e r ify in g , te s tin g , a n d a p p ly in g p a tc h e s U p d a tin g p r e v io u s ly a p p lie d p a tc h e s w it h c u r r e n t p a tc h e s L istin g p a tc h e s a p p lie d p r e v io u s ly t o t h e c u r r e n t s o f t w a r e R e c o rd in g re p o s ito r ie s , o r d e p o ts , o f p a tc h e s f o r easy s e le c tio n A s s ig n in g a n d d e p lo y in g th e a p p lie d p a tc h e s It is v e r y i m p o r t a n t t o a lw a y s d e te c t m is s in g s e c u rity p a tc h e s th r o u g h p roper
D e te c t:
d e t e c t i n g t o o l s . If t h e r e is a n y d e l a y in t h e d e t e c t i o n p r o c e s s , c h a n c e s o f m a l i c i o u s a t t a c k s a re v e r y h ig h .
2. Assess:
O n c e t h e d e t e c t i o n p r o c e s s is f i n i s h e d i t is a l w a y s b e t t e r t o a s s e s s v a r i o u s i s s u e s
a n d t h e a s s o c ia te d fa c to rs re la te d to th e m a n d b e tt e r t o im p le m e n t th o s e s tra te g ie s w h e r e is s u e s c a n b e d r a s t i c a l l y r e d u c e d o r e l i m i n a t e d .
3. A c q u i r e : T h e s u i t a b l e p a t c h r e q u i r e d t o f i x t h e is s u e s h a s t o b e d o w n l o a d e d .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
4.
T e s t : It is a l w a y s s u g g e s t e d t o f i r s t i n s t a l l t h e r e q u i r e d p a t c h o n t o t h e t e s t i n g s y s t e m r a t h e r
th a n th e u p d a tin g .
5.
m a in s y s te m
as t h i s p r o v i d e s a c h a n c e t o v e r i f y t h e v a r i o u s c o n s e q u e n c e s o f
D e p l o y : P a t c h e s a r e t o b e d e p l o y e d i n t o t h e s y s t e m s w i t h u t m o s t =, so n o a p p l i c a t i o n o f
t h e s y s t e m is a f f e c t e d .
6. M a in ta in :
It is a l w a y s u s e f u l t o s u b s c r i b e t o g e t n o t i f i c a t i o n s a b o u t v a r i o u s p o s s i b l e
v u l n e r a b i l i t i e s as t h e y a r e r e p o r t e d .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
I d e n t i f y i n g U p d a t e s a n d
p p r o p r i a t e P a t c h e s
S o u r c e s
f o r
CEH
First make a patch management plan that fits the operational environment and business objectives
Find appropriate updates and patches on the home sites of the applications or operating systems' vendors
The recommended way of tracking issues relevant to proactive patching is to register to the home sites to receive alerts
I d e n t i f y i n g - i'l
A p p r o p r i a t e
S o u r c e s
f o r
U p d a t e s
a n d
'-s
P a t c h e s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In s ta lla tio n o f a P a tc h
0 0
CEH
9 0
In this m ethod, the user has to d o w nlo ad the patch from the vendor and fix it
In this method, the applications use the A u to U pdate feature to update them selves
, W
I n s t a l l a t i o n
o f a
P a t c h
I n t e r n e t . P a tc h e s can be
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
I m
p l e m
e n t a t i o n P a t c h o r
a n d U
e r i f i c a t i o n
o f
S e c u r i t y
p g r a d e
Use p ro p e r patch m a n a g e m e n t program to v alidate files versions and checksum s b efo re deploying security p atch e s
< *'
" 1
I m o r
p l e m
e n t a t i o n
a n d
e r i f i c a t i o n
o f a
S e c u r i t y
P a t c h
U p g r a d e
m a n a g e m e n t to o l m u s t b e a b le t o m o n it o r t h e p a tc h e d s y s te m s .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P a t c h
a n a g e m
e n t A
T o o l:
i c r o s o f t ( M B S A )
B a s e l i n e
S e c u r i t y
n a l y z e r
J J
Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server It also scans a computer for insecure configuration settings
1 !
P ^
f B aseline S e curity A n a ly ze r
R e p o rt D etails fo r WORKGROUP - WIN-MSSELCK4K41 (2 0 1 2 -1 0 -1 2 10 :2 8 :0 6 )
e requested checks.)
(onHMtfnumr IP Address: S T report van darr S u n td nfth H8SA version: v a r t y pA>rr catalog: Sett Ooo V
V 'O R X G R C X J 3\W JNSB.Q<'K>l 1*9.254.103.138 ,*CRKG RO UP W N-M SSQ lCMMI (10-12*2012 10-28 AM ) 10/12/2012 10:28 A M 2.2.2170.0
Offc* Sccunty
Nc fearit? 4xi1U; a
P a t c h * S ^
a n a g e m ( M
e n t
T o o l :
i c r o s o f t
B a s e l i n e
S e c u r i t y
A n a l y z e r
B S A )
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M icro so ft
t 1 B a s e lin e S e c u r ity A n a ly z e r
Computer name: IP address: Security report name: Scan date: Scanned with MBSA version: Catalog synchronization date: Security update catalog: Sort Order: Score (worst first) v
Security Update Scan Results
W ORKGROUP\WIN-M SSELCK4K41 169.254.103.138 W ORKGROUP W IN-M SSELCK4K41 (10-12-2012 10-28 A M ) 10/12/2012 10:28 A M 2.2.2170.0 Microsoft Update
Score
Issue Developer Tools, Runtimes, and Redistributables Security Updates Office Secunty Updates SQ L Server Security Updates
P r n t this re p o rt
I Q o p y to <ipboard
g |
P re v io u s se cu rity r ep ort
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P a tc h M a n a g e m e n t Tools
Altiris Client M an ag em en t Suite Prism Patch M anager
C EH
(itifwd 1 tfeMJl Nm Im
2 - S
http://w w w .g fi.co m
GFI LANguard
r i
http://w w w .m aas360.com
http://w w w .kaseya.co m
http://secunia.co m
Secunia CSI
http://w w w .novell.com
ZENworks Patch M a n ag em en t
http://w w w .m anageengine.com
Security M an ag er Plus
P a t c h In m is s in g
a n a g e m to
e n t a re
a d d itio n
M BSA, th e re u p d a te s ,
p a tc h e s ,
s e c u rity
and
m is c o n fig u ra tio n s .
lis t
m a n a g e m e n t to o ls fo llo w s : A ltir is C lie n t M a n a g e m e n t S u ite a v a ila b le a t h t t p : / / w w w . s v m a n t e c . c o m GFI L A N g u a r d a v a ila b le a t h t t p : / / w w w . g f i . c o m K a se ya S e c u rity P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . k a s e y a . c o m Z E N w o rk s P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . n o v e ll. c o m S e c u r it y M a n a g e r P lu s a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m P ris m P a tc h M a n a g e r a v a ila b le a t h t t p : / / w w w . n e w b o u n d a r y . c o m M a a S 3 6 0 P a tc h A n a ly z e r T o o l a v a ila b le a t h t t p : / / w w w . m a a s 3 6 0 . c o m S e c u n i a CSI a v a i l a b l e a t h t t p : / / s e c u n i a . c o m L u m e n s io n P a tc h a n d R e m e d ia tio n a v a ila b le a t h t t p : / / w w w . l u m e n s io n . c o m V M w a r e v C e n te r P ro te c t a v a ila b le a t h t t p : / / w w w . v m w a r e . c o m
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
CEH
o d u l e
W eb
s e rv e rs s h o u ld
a v o id t h e t h r e a t o f b e in g a tta c k e d . W e b th e h e lp o f w e b s e rv e r s e c u rity to o ls .
s e rv e r s e c u rity ca n
be m o n ito re d
W e b s e r v e r C o n c e p ts
W e b s e rv e r A tta c k s
a
A tta c k M e th o d o lo g y N
W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r Pen T e s tin g
W e b s e r v e r S e c u rity T o o ls
P a tch M a n a g e m e n t
C o u n te r-m e a s u re s
T h is s e c t io n lis ts a n d d e s c r ib e s v a r i o u s w e b s e r v e r s e c u r i t y t o o ls .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r u J L E !7
Syhunt Dynamic helps to a u to m a te w eb application security testing and guard organization's w eb in frastru ctu re against various w eb application security th re ats
W ^
e b
p p l i c a t i o n
S e c u r i t y
S c a n n e r :
S y h u n t
y n a m
i c
S o u rce : h ttp ://w w w .s y h u n t.c o m a u to m a te web a p p lic a tio n s e c u rity te s tin g and g u a rd o r g a n iz a tio n 's
S y h u n t D y n a m ic h e lp s t o
S u p p o rts a n y w e b s e rv e r p la tfo rm . 0 W h ite - B o x T e s tin g - By a u t o m a t in g th e p ro c e s s o f r e v ie w in g th e w e b a p p lic a tio n 's c o d e , S a n d c a t's th e m code s c a n n in g fu n c t io n a lit y can m ake th e life of QA te s te rs e a s ie r, h e lp in g
n u m b e r o f t h r e a d s ca n b e a d ju s te d . D e e p C ra w lin g - R uns s e c u rity te s ts a g a in s t w e b URL o r a s e t o f URLs p ro v id e d b y th e u se r. Advanced In je c tio n M a p s th e e n tire w e b s ite s tru c tu re (all lin k s , f o r m s , X H R r e q u e s t s , p a g e s d is c o v e re d b y c r a w lin g a s in g le
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
w i d e r a n g e o f a t t a c k s / s e n d i n g t h o u s a n d s o f r e q u e s t s ( m o s t l y GE T a n d POST). T e s ts f o r SQL I n j e c t i o n , XSS, File I n c l u s i o n , a n d m a n y o t h e r w e b a p p l i c a t i o n v u l n e r a b i l i t y c la ss e s. R e p o rtin g - G e n e ra te s a r e p o r t c o n ta in in g in f o r m a t io n a b o u t th e v u ln e r a b ilitie s . A fte r e x a m in in g th e a p p lic a tio n 's re sponse to th e a tta cks, if th e ta rg e t URL is fo u n d
H K h
RWJ
J)
M (m * t
9 3 J$4MdP*9
jQ Souk StudiM a ; **m m M Souc* a (a URL1 B WabSfeucM (tel d on
14 p*>
. 1 1 1 * m(1le php 9 j! R_b*taC php t. H_bt*C_ptuS1WV
O , **ion
. ^ >Jot*pN>
Ow*pouSMS< K a /XSS a
Id26|
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
A p p lic a t io n
S e c u r ity
S c a n n e r: S e c u r ity S c a n n e r
N - S ta lk e r W e b
A p p lic a t io n
EH
A
N-Stalker is a W ebA pp Security S can n er to search for vulnerabilities such as SQL injection, XSS, and known attacks
W A
e b
p p l i c a t i o n
S e c u r i t y
S c a n n e r :
- S t a l k e r
e b
p p l i c a t i o n
S e c u r i t y
S c a n n e r
m a n a g i n g t h e w e b s e r v e r a n d w e b a p p l i c a t i o n s e c u r i t y . T h is s e c u r i t y t o o l is u s e d b y d e v e l o p e r s , s y s t e m / s e c u r i t y a d m i n i s t r a t o r s , IT a u d i t o r s , a n d s t a f f .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
"
**J
Scaror
1 T>!r*a4t
1 * , ' 5 , *
I < IJ t , r iM ^ N ih a Control 1
I 6 * | Thra^a CofUfW
Scann er I v m t t
o
Q
Vu*eraM*
hBp J v a * C*1V< | App*cton gn | O H v tfM n tt*
B# n a p < rw n n r
0#/
| x.P *
U C fO M IW ftM rvr*
0#
9 | W at Fom a**
0 #
|
Mm1(9> lo w 7) M o (t )
f f l + /* c x h titf
0 MCvrW a6A
Hm W
m tm m k ______
By<aa$*nc Avg Rm oo ^m Tmt A .g T ,ar*f B jf* 1102 121 I 903 970 K IM m i 9 91 S M B * 198 00 r#9 n an
ffl +
Com ponent Mam d f r Wafc Sarvar tonnalon Found ttC T M iftM jJ j f Wa* Sarva* Tacftm*>ffy Oataaad Sarva * * Sd Tac*c* 9y Fo NCT FramewoA M feA tow * W M f W M r ce*180/<9oat N
?*MWO'd
W a f cfo n *F O y N j
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
e b
S e r v e r
S e c u r i t y
S c a n n e r :
i k t o
m o n i t o r i n g . W i k t o is c o d e d i n C # a n d r e q u i r e s t h e .N E T f r a m e w o r k . W i k t o m a y n o t t e s t f o r SQL i n j e c t i o n s , b u t i t is s ti l l a n e s s e n t i a l t o o l f o r p e n e t r a t i o n t e s t e r s w h o a r e l o o k i n g f o r v u l n e r a b i l i t i e s in t h e i r I n t e r n e t - f a c i n g w e b s e r v e r s .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W A
e b
S e r v e r W
S e c u r i t y e b V
S c a n n e r : S c a n n e r
c u n e t i x
u l n e r a b i l i t y
CEH
Urt1fw4 ilhiul lUthM
Acunetix WVS checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools to ease manual security audit processes, and also creates professional security audit and regulatory compliance reports
Acunetix W eb Vulnerability Scanner (Free Edition) Hie
-M B
^ te w S c a n|G f cp c ,
Actions
Tools
Configuration
Hdp
_] abilty Scanner % * Web Eesnner 3 t_i' Tcoi i !# Site Crawler p Target H n<fer-; ; Siijdaman Scarner j | ) j | Bind SQL injector
a 4' 'A^
>-
L*
Start M .: 5 : > *sc rw 3n:3C, kt Ak rt5 simrw
A Renar:
* \Ptofle: Defeu
B unptdar :
IITPSnffer
j $ AutJxnoeatwn icsta SJ Compare Resilts ; S rv w W*bSctMcca Scamci : Wtb Servers EdM r* 4 : 34 1 Confiqwatcn Si Aodtatton Sitthos! i J, seanstm o * : (j Surnrq Profit it (& Grrwnl A Proynm Update: * *)- Vwtort Jnform aoon jyLcenaro ; Sijjpcrt Center ) :
afc W eb Alerts V - KnowieSoe Base F $ 1 Site Structure E t / ff t o *out .me bt t o rt t o <tornb8<*r e t o es to c r j a lr w W tO L6 StCtt JMQt jmocSas lKfcJ*"9eJ ^ 0 B 1 1 (O 9 M tA karroo 1 1 lO ,4' v*' It t o u i o *jeMonjh*
ocun#l threat lvl Uvol 0: Sofo 0K rcrbt*:n otxDen 'orNfcen ' 0t*d?en 1 othsuvi **P oo * Hstrnfid (X ortxteen (X > 1
*
! loU lrrtfound
05 O M M rn
O i
O mrormjikxMi
3HLi-
10.13 > 0 :0VV., [Warning] Samng onty tor XV* (er w u tr vnphn^) vulirrabAhrt
W B V
e b
S e r v e r
S e c u r i t y
S c a n n e r :
A c u n e t i x
e b
u l n e r a b i l i t y
S c a n n e r
S o u rce : h ttp ://w w w .a c u n e tix .c o m A c u n e tix W eb V u ln e ra b ility Scanner checks web a p p lic a tio n s fo r SQL in je c tio n s , c ro s s -s ite
s c r ip tin g , e tc . It in c lu d e s a d v a n c e d p e n e t r a t i o n t e s t i n g t o o l s t o e a s e t h e m a n u a l s e c u r it y a u d i t p ro c e s s e s , a n d a ls o c r e a te s p r o f e s s io n a l s e c u r it y a u d it a n d r e g u la t o r y c o m p li a n c e r e p o r t s .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
&
fa Actions . T00H Jl ^ Configuration J H NcwScjn Tod @ Art) yjneraMty Scanner 1*_ Web Scanner
A | a I I *
/ StvtURi: n t t p : / / r t m c o m : * ) / Profile: [> JSU rt
A 'S.
ft Report
Scan R ew h
S W u t
a& T ools
J ; Ste Crawler Target FrxJcr ^ Subdoman Scanner .J Bind SQL In)ector { 3 HTTPEdtor HTTP Snrffer * HTTPFuwer $ Authenocatwn Tester B Compare Resdts 3 H & Web Services af Web Services Scanner J S Web Services Edtor S Config^aBon > Appfca&on Settings Scan Settings Sr w n g B fo S w 3 & General Program Updates - Veron Information
V *K n o w le d g e0 m
B { j) Site Structure
jb HHbdrti
I/
L evel 0: S afe
<
Total *lefts found
,Q
a r tan <al-mages
M * tF a rd
NF 0iX1d NK Found Mu Foind
S (jQ htrrtSmeda stacks_page_page0 .css stacks_page_page0 .js a uQ (,Q 1 ^ t (jQ games karma Ifcstyte mytotog quesfconjhe.nJes
o 0
O low
1
Mtp:/Awvvv.juggytoy.com:80/ 381 requests Scan is finished
*
00.oos
4 iP u rc h a s e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W M
e b
S e r v e r
a l w
a r e H
I n f e c t i o n l e r t
o n i t o r i n g
T o o l:
a c k A
CEH
HackAlert is a cloud-based service that identifies hidden zero-day malware and drive-by downloads in websites and online advertisements 8 Protects clients and customers from malware injected websites, drive by downloads, and malicious advertising a Identifies malware before the website is flagged as malicious o Displays injected code snippets to facilitate remediation t* Deploys as cloud-based SaaS or as a flexible API for enterprise integration 9 Integrates with WAF or web server modules for instant mitigation
H a c k A le rt
CK*>90
[n te f Dj* n l 5tKl M l
aom un AdMsfiews
mas A vriw *1
PKXtWIK 7t N M I}
/ X
h ttp : //w w w .a r m o r iz e .c o m
W H
e b
S e r v e r
a l w
a r e
I n f e c t i o n
o n i t o r i n g
T o o l:
a c k A l e r t
S o u rce h ttp ://w w w .a rm o riz e .c o m H a c k A le rt d o w n lo a d s th is th e and s e rv ic e is in a c lo u d -b a s e d w e b s ite s and s e rv ic e o n lin e th a t id e n tifie s h id d e n z e ro -d a y m a lw a re and d riv e -b y
a d v e rtis e m e n ts . and
O p tim iz in g a la rm s
m u ltip le
a n a ly s is te c h n iq u e s , e n g in e s b la c k lis t
id e n tifie s
in je c te d
m a lw a re
g e n e ra te s to
b e fo re
s e a rc h
w e b s ite . T h is e n a b le s revenues. It is
im m e d ia te v ia
re m e d ia tio n a
p ro te c t c u s to m e rs , SaaS in te rfa c e or
b u s in e s s a
re p u ta tio n , API th a t
accessed
e ith e r
w e b -b a s e d
fle x ib le
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H a c k A le r t Uf 7 D*r PPck1
]j ; 0 * 03
km
U rO mmMW ai
A*
Jl I 1
r*M H #)
04 M m TC4 S 4 m r 1f1 m f d
) 1$}
* < 1 M I^Mt
AV
T0MSc4nt
___1 *J
\
2 10 <1 01 02
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
S e r v e r M a lw a r e
I n f e c t io n
o n it o r in g
T o o l: Q u a ly s G u a r d
M a lw a r e
D e te c tio n
to ftN M tfe M jl N M h M
C EH
QualysGuard Malware Detection Service scans websites for malware infections and threats
4 r
"
> .
-iashocard
l \ .
Step 5 of 5 1 2 4 0 Details ScM wttinj* 1/ Reiiew and ccnfim you setirgs Site Details w Own Site seeUR. kttp: 1 7v/ww.mwrboy.1on Tag AMgntd 1 - n Scan Options Ptg 200 ion Into ne (? N mtm Ku lW. I..V 1m m , Crawl xaution list* o ^0 St-* 1* 4 ii C porta .qjayicorr
if
0LA D TSC lW R 1y
MOt
Dashboard
Scans
R tpX i
Assets
K/x>v*cdgOase
) .(
fw t
'
h t t p : / / w w w . q u a ly s . conr
W Q
e b
S e r v e r
a l w M
a r e
I n f e c t i o n D
o n i t o r i n g
T o o l:
u a l y s G
u a r d
a l w
a r e
e t e c t i o n
p r o v i d e d so t h a t o r g a n i z a t i o n s c a n t a k e q u i c k a c t i o n t o i s o l a t e a n d r e m o v e m a l w a r e .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
4-
fl
1 iusi http!
Site Creation
Step 5 of 5
1 2 3 Sit [) tails S c a n settin g s
Turn h e lp tp s
IOft
^
y
Sit [)tails
Title O w n S ite SitiURL h ttp:// w w w .jugo vb oy .co m
Tags
Aiagncd tags
R e v ie w an d Confirm
Scan Options
Maxnxjm Pages
?00
to
Wtur* I ! fRrk1iar F
1 3 =
QtalysGuard Portal
la
Quaiys.inc[US]
0UALYSGUARD*
MDS Dashboard Scans Reports Assets KnowledgeBase
Help Rini Matthews v L >g Oul
Own Site
1 - 20 of 3 10
&
High 0 0
Med 0 0 0
Low 0 0
Info 0 0
Seventy
0 0
0 0
0 0
0
0 0
0
9
0
F ] hrtpy/www.juggytoy.com'indexhtml 0 http^/ww w.ju ggyboy.co irtabout_re.'index htnl hctpy/Aww.jjggyboy.corrxsemfeld/ndex.T.nil hctpy/Aww.jjcgyboy.com<5 ueston_:he_rules'inCexltm http://www.juggyboy.corrVKama/ndex.T.ml
I) 1 ) 0
D
0
0
0 0
0
0 0 0
0
0 0
0
0
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b s e rv e r S e c u rity Tools
JH L f R e tna c s http ://w w w .beyondtrust.co m
CEH
http://w w w .nstalker.co m
http://w w w .netiq.com
Infiltrator
http://w w w .saintcorporation.com
SAINTscanner
http://sec4app.co m
W ebC ruiser
La\
HP W eb ln sp ect
http://w w w .applicure.com
d o tD e fe n d e r
W c
e b s e r v e r
S e c u r i t y
T o o ls
W e b s e r v e r S e c u r it y t o o ls s c a n la rg e , c o m p le x w e b s it e s a n d w e b a p p lic a t io n s t o ta c k le v u ln e ra b ilitie s . ris k , ra n k th re a t These to o ls id e n tify a p p lic a tio n v u ln e ra b ilitie s in tu itiv e as w e ll as s ite and
w e b -b a se d e xp o su re
p rio rity ,
p ro d u ce
h ig h ly
g ra p h ic a l,
HTML
re p o rts ,
in d ic a te s ite s e c u r ity p o s tu r e to o ls in c lu d e :
b y v u ln e r a b ilit ie s a n d t h r e a t le v e l. S o m e o f w e b
s e rv e r s e c u rity
R e t i n a CS a v a i l a b l e a t h t t p : / / w w w . b e y o n d t r u s t . c o m N s c a n a v a ila b le a t h t t p :/ / n s c a n . h y p e r m a r t . n e t N e tlQ S e c u re C o n fig u ra tio n M a n a g e r a v a ila b le a t h t t p : / / w w w . n e t iq . c o m S A IN T S c a n n e r a v a ila b le a t h t t p : / / w w w . s a in t c o r p o r a t io n . c o m HP W e b ln s p e c t a v a ila b le a t h t t p s :/ / d o w n lo a d .h p s m a r t u p d a t e . c o m A r ir a n g a v a ila b le a t h t t p : / / m o n k e y . o r g N -S te a lth S e c u rity S c a n n e r a v a ila b le a t h t t p : / / w w w . n s t a lk e r . c o m In f ilt r a t o r a v a ila b le a t h t t p :/ / w w w .in f ilt r a t io n - s y s t e m s .c o m W e b C r u is e r a v a ila b le a t h t t p :/ / s e c 4 a p p .c o m d o t D e fe n d e r a v a ila b le a t h t t p : / / w w w . a p p lic u r e . c o m
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
CEH
o d u l e
F l o w id e a b e h in d e t h i c a l h a c k i n g is t o hack yo u r o w n n e tw o rk o r s y s te m in a n
T h e w h o le
s y s te m . As in o rd e r to
d e t e r m i n e t h e v u l n e r a b i l i t i e s o n t h e w e b s e r v e r . Y o u s h o u l d a p p l y a ll t h e h a c k i n g t e c h n i q u e s f o r h a c k in g w e b s e rv e r s . T h is s e c t io n d e s c r ib e s w e b s e r v e r p e n t e s t in g t o o ls a n d t h e s te p s in v o lv e d in w e b s e r v e r p e n t e s t i n g . R L ) W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y
W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r Pen T e s tin g
^ __ ^
W e b s e r v e r S e c u rity T o o ls
1 j
P a tc h M a n a g e m e n t
C o u n te r-m e a s u re s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
e b
S e r v e r
P e n
T e s t i n g
T o o l :
C O
R E
I m
p a c t
P r o
S ource: h tt p :/ / w w w . c o r e s e c u r it v . c o m
e x i s t i n g s e c u r i t y i n v e s t m e n t s . T h is t o o l is a b l e t o p e r f o r m t h e f o l l o w i n g : I d e n t i f y w e a k n e s s e s in w e b a p p l i c a t i o n s , w e b s e r v e r s , a n d a s s o c i a t e d d a t a b a s e s D y n a m ic a lly g e n e ra te e x p lo its t h a t can c o m p r o m is e s e c u rity w e a k n e s s e s D e m o n s tra te th e p o te n tia l c o n s e q u e n c e s o f a bre a ch G a th e r in fo rm a tio n necessary fo r a d d re s s in g s e c u rity is s u e s and p re v e n tin g d a ta
in c id e n ts
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Fie
Yew Modiie*
00b
Help
I. ' I
l _ ) L 0 a l
N-w SUt*J rh*hl |Nt1... a a /w o . ^ H r iS 8/24^0. *01 l.bodm 00MPATH rvplat H|S*1/. 8/24/20. y *C Kriuwjt L1 >.J Buffo Ovarflov! PrMtoe EsuriaUw ExvMi 8/24/20... 8/24/20. _r:j *01 fin choc Local PrM fege Escalation E*ptat 1^1 *0( ipdateJlMh PA THceaoe tw b t :gCradt... 8/24/20... 8/24/20. JjJ *nti Keylogger Elte Pnttfcge EscalabonExpert jjtnstal... 8/2^20... 8/24/20. y *ade M ac os x Hlb Local pnvleoe Ef *,* 6'*' ^ e B ... 8/2^20... 8/24/20. g *uat Artima ASAMON.S Y SPlh-lege '*etw... 8/2^ 20... 8 / 21/20. im P H C & Bbe Coat K9W ebProtection Referer Priv *letw... 8/24/20... 8/24/20. P R O F E S S I O N A L cachefsdQuffti O w rui o p bt 3 [ 3 rwl... 9/24/20... 6/24/30. CDRTods R 5Hlocal exploit & S et8/24/20 ...8/24/20 ... . C S R S Sfacenane exf^oit 3 CctyNo | 2sJ EbyCOIO Cnvcr Pnvleo; Escalation E This produci is lcnsed 10 E S E TSmart Searity BPFW .SfS Privlegs I 3 $yemlrfo | EC-Council Haja Motadeen Exin A lwrote ConfiQiraton Prwle^e E 31 ^!> sf5SD Dynam ic Lrka Privies Esi 3 1 ti Distribution ky IgJ P feeQ S OKernel Protosw Prr.-tegebsrdat S 1 3 !3S CkO m et Lacal Privilege Escalation PreeflSD m bufs asrdfile Ca<hePoso ^ ^ FreeB S Dmcxnt Locd Prlvleoe Escaiatton P e r i o d gj P reeQ S Cpseudo^a NUU Ponter Qerefere[ From : Tuesdav. December 28. 2010 FreeB S DTebetd Serve* Prlvleoe Eacalati *> Q N UGibe ti.50 ORIGIN Prrvlege sca 3 To Thursday June 30, 2011 G N UId.so*fcitrary Dlopsn Prtvtege E sca rtPLnj* Imagnq .ard Prnbng local ex^n 3 G gl BM DrectOf CiM Sever P tN teoee9C3l3fl | IS S S Pjo-.er-Sde [ndude exok*i[ coongni 2002010 core siuntv rchn0109nt 0 t Igl netd confPrhleoeE9ral31nEwtet I Version 11.0.46 66 ID.PRELOADbuffe vIbw 3 -------------------------jjJ unioc kernel doJjrkO expbt Linux Kernel Ext4 M os-eExtents ICCTL Prlvlege EscjMot Explait 3 ( ]g N etw o rk A ttack a n d P e n etr a tio n unux kernel rrremoo-urmap exploit Linux Kernel RD5 PtoUkoI P1l-leoeEfic4l<tnn Ewb't THs 01.1 itomCc4lv siects xl l*jxhs atUdv. 1 ..-v * . w i q r * 1vvaP M V <r vlw tnw< WT/KHvierk R P T -K: icartY icrngoac:
t i
( 7 4 { 2 0 . . . 3 / 2 * 1 2 0 . . . * M X . . .
su Sto Phi.. Fhl.. Phi.. Fhl.. FW .. FHI.. 510.. Fhi.. Fhi.. Fhi..
n o hia
(Jo
3 , . , . ,
TTfc o).k *w veu AJtonuQulv selectandliuxhr It (U.li tMMJ 0r scfvcuOv acqurvdinfct mston The Attach 1dPprpbabortMrp utiixri yevtxriy aeittrtO *about the netw ork (to nitanoc, bynnnn; 1 t*> !nfanubon Stf*rrg ttap) to *utotnaQuly *elect 1 dI*u1 d1nut jtU Ji fa w J 1 Uioethost tfis razord leajies tie folowiw nfontt0 0 n fol fib c*r fuw |
7 7 8 7 9
o F
1fid P fh f) ),
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
W x
e b
S e r v e r
P e n
T e s t i n g
T o o l :
I m
u n i t y
C A N V A S
S o u rce : h ttp ://w w w .im m u n ity s e c .c o m is an a u to m a te d fo r e x p lo ita tio n s e c u rity s y s te m , and and a c o m p re h e n s iv e , te s te rs . re lia b le It a llo w s e x p lo it a pen
CANVAS
d e v e lo p m e n t
fra m e w o rk
p ro fe s s io n a ls
p e n e tra tio n
t e s t e r t o d i s c o v e r a ll p o s s ib le s e c u r i t y v u l n e r a b i l i t i e s o n t h e w e b s e r v e r .
Immunity CANVAS Vr: 0.47 | Cuir
11 S *ttlo n : ilvlciutl
O 55 V j i ! MOV Slop Fiploc OS Cor#g Modies S ti'th DicHpUBn ls*r 0An*d Nv Monthly I
Cur#r* Calfcack
>D 9 S >'co i
> fWcon
f a *
Current Status C an v atlo q nebuq 1 oq OataVtaw Status Action Start T o k End Tun* information
Sal ( o M ttr iM t:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W eb S e rv e r P en T e s tin g
CEH
Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a web server The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities
Verification of Vulnerabilities To exploit the vulnerability in order to test and fix the issue
W h y W e b s e rv e r Remediation of Vulnerabilities To retest the solution against vulnerability to ensure that it is completely secure Pen T e s tin g ? Identification of Web Infrastructure To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities
W v , v ,
e b
S e r v e r
P e n
T e s t i n g id e n tify , a n a ly z e , a n d r e p o r t v u ln e ra b ilitie s
W eb
s e rv e r p e n te s tin g w ill h e lp y o u t o
a n d r e p e a t a b l e t e s t s , a n d t o w o r k t h r o u g h a ll o f t h e d i f f e r e n t a p p l i c a t i o n v u l n e r a b i l i t i e s .
h y
W e b
S e r v e r
P e n
T e s tin g ?
W e b s e r v e r p e n t e s t i n g is u s e f u l f o r :
v u ln e ra b ilitie s .
V e r i f i c a t i o n o f V u l n e r a b i l it ie s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
is s u e .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
W e b s e rv e r p e n e tr a tio n te s tin g s ta rts w it h c o lle c tin g as m u c h in f o r m a t io n as p o s s ib le a b o u t a n o rg a n iz a tio n ra n g in g fro m its p h ysica l lo c a tio n t o o p e ra tin g e n v ir o n m e n t U se s o c ia l e n g in e e rin g te c h n iq u e s t o c o lle c t
U
Search open sources for inform ation about the target : Perform social engineering
n a m e , IP a d d re ss, a d m in is tr a tiv e c o n ta c ts , A u to n o m o u s S yste m N u m b e r, DNS, e tc . N o te : R e fer M o d u le 0 2: F o o tp rin tin g a n d R e con n aissan ce f o r m o re in fo r m a tio n g a th e rin g te c h n iq u e s
V
Document all inform ation about the target J 1
e b
S e r v e r
P e n e t r a t i o n
T e s t i n g
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Y o u s h o u l d d o c u m e n t a ll t h e i n f o r m a t i o n o b t a i n e d f r o m t h e v a r i o u s s o u r c e s .
N o te :
R e fe r
M o d u le
02
F o o tp rin tin g
and
R e c o n n a is s a n c e
fo r
m o re
in fo rm a tio n
about
in fo rm a tio n -g a th e rin g te c h n iq u e s .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(E H
(rtifwd | tth 4 l IlMlwt
F in g e rp rin t w e b s e rv e r t o g a th e r in fo r m a tio n
Fingerprint w eb serv er
ijp p )
e b
S e r v e r
P e n e t r a t i o n
T e s t i n g
( C
o n t d )
S t e p 5: F i n g e r p r i n t t h e w e b s e r v e r
P e r f o r m f i n g e r p r i n t i n g o n t h e w e b s e r v e r t o g a t h e r i n f o r m a t i o n s u c h as s e r v e r n a m e , s e r v e r t y p e , o p e r a t i n g s y s t e m s , a p p l i c a t i o n s r u n n i n g , e t c . u s i n g t o o l s s u c h as ID S e r v e , h t t p r e c o n , a n d N e tc ra ft. S te p 6: P e r f o r m w e b s it e c r a w lin g P e rfo rm w e b s ite c ra w lin g to g a th e r s p e c ific in fo rm a tio n fro m web pages, such as e m a i l
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(E H
(rtifwd | tth4l IlMlwt
Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploited Perform HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header Perform web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in cache Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access Perform session hijacking to capture valid session cookies and IDs. Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
it
Perform session hijacking
e b
S e r v e r
P e n e t r a t i o n
T e s t i n g
( C
o n t d )
S te p 9: P e r f o r m v u l n e r a b i l i t y s c a n n in g P e rfo rm v u ln e r a b ility s ca n n in g t o i d e n t i f y w e a k n e s s e s in a n e t w o r k u s i n g t o o l s s u c h as HP
W e b ln s p e c t , N essus, e tc . a n d d e t e r m in e if t h e s y s te m can be e x p lo ite d . S te p 10: P e r fo r m a n HTTP r e s p o n s e s p lit t in g a tt a c k P e r f o r m a n H TTP r e s p o n s e s p l i t t i n g a t t a c k t o p a ss m a l i c i o u s d a t a t o a v u l n e r a b l e a p p l i c a t i o n t h a t i n c l u d e s t h e d a t a in a n HTTP r e s p o n s e h e a d e r . S te p 11: P e r fo r m a w e b ca ch e p o is o n in g a tta c k P e r f o r m a w e b c a c h e p o i s o n i n g a t t a c k t o f o r c e t h e w e b s e r v e r ' s c a c h e t o f l u s h its a c t u a l c a c h e c o n t e n t a n d s e n d a s p e c i a l l y c r a f t e d r e q u e s t , w h i c h w i l l b e s t o r e d in t h e c a c h e . S te p 12: B r u te fo r c e lo g in c r e d e n t ia ls B r u t e f o r c e SSH, FTP, a n d o t h e r s e r v i c e s l o g i n c r e d e n t i a l s t o g a i n u n a u t h o r i z e d a c c e ss . S te p 13: P e r fo r m s e s s io n h ija c k in g P e r f o r m s e s s io n h i j a c k i n g t o c a p t u r e v a l i d s e s s io n c o o k i e s a n d IDs. Y o u c a n u s e t o o l s s u c h as B u r p S u it e , H a m s t e r , F i r e s h e e p , e t c . t o a u t o m a t e s e s s io n h i j a c k i n g .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
UrtifW4
ttkKJi lUilwt
Perform M ITM attack to access sensitive information by intercepting and altering communications between an enduser and webservers
Note: Refer Module 13: Hacking Web Applications for more information on how to conduct web application pen testing
Examine
W e b s e rv e r logs
Use tools such as Webalizer, AWStats, Ktmatu Relax, etc. to examine web sever logs
Exploit fram ew o rk s
e b
S e r v e r
P e n e t r a t i o n
T e s t i n g
( C
o n t d )
S te p 14: P e r fo r m a M I T M a tta c k
P e rfo rm a M IT M a tta c k to access s e n s itiv e in fo rm a tio n by in te rc e p tin g and a lte rin g
c o m m u n ic a tio n s b e tw e e n an e n d u s e r a n d w e b s e rv e rs .
S te p 16: E x a m in e w e b s e r v e r logs
E x a m in e th e s e rv e r lo g s fo r s u s p ic io u s a c tiv itie s . You can do th is by u s in g to o ls such as
W e b a l i z e r , A W S t a t s , K t m a t u R e la x , e tc .
S te p 17: E x p lo it f r a m e w o r k s
E x p lo it t h e f r a m e w o r k s u s e d b y t h e w e b s e r v e r u s in g t o o ls s u c h as A c u n e tix , M e t a s p lo it , w 3 a f, e tc .
S te p 18: D o c u m e n t a ll t h e fin d i n g s
S u m m a r i z e a ll t h e t e s t s c o n d u c t e d s o f a r a l o n g w i t h t h e f i n d i n g s f o r f u r t h e r a n a ly s is . S u b m i t a c o p y o f th e p e n e tra tio n te s t re p o rt to th e a u th o riz e d p e rs o n .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le S u m m a r y
CEH
W eb servers assum e critical im portance in th e realm of Internet security Vulnerabilities exist in different releases of popular w ebservers and respective vendors patch th e s e often The inherent security risks owing to th e com prom ised w ebservers have im pact on th e local area netw orks th a t host th e se w ebsites, even on th e norm al users of w eb brow sers Looking through th e long list of vulnerabilities th a t had been discovered and patched over th e past few years, it provides an attacker am ple scope to plan attacks to unpatched servers Different tools/exploit codes aid an attacker in p erp etratin g w eb serv er's hacking C ounterm easures include scanning for th e existing vulnerabilities and patching them im mediately, anonym ous access restriction, incoming traffic req u est screening, and filtering
= V ' y M o d u l e S u m m a r y
W e b s e r v e r s a s s u m e c r it ic a l i m p o r t a n c e in t h e r e a l m o f I n t e r n e t s e c u r i t y . V u l n e r a b i l i t i e s e x is t in d i f f e r e n t r e l e a s e s o f p o p u l a r w e b s e r v e r s a n d r e s p e c t i v e v e n d o r s p a tc h th e s e o fte n .
T h e i n h e r e n t s e c u r i t y ris k s o w i n g t o t h e c o m p r o m i s e d w e b s e r v e r s i m p a c t t h e lo c a l a r e a n e tw o r k s t h a t h o s t th e s e w e b s ite s , e v e n o n th e n o rm a l u s e rs o f w e b b ro w s e rs .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.