CEHv8 Module 12 Hacking Webservers

H a c k in g W e b s e r v e r s
M o d u le 12
Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs
Exam 3 1 2 -5 0 C ertified Ethical H acker
H a c k in g W ebservers
M o d u le 12
Engineered by Hackers. Presented by Professionals.
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 1 2 : H a c k in g W e b s e r v e r s E xam 3 1 2 -5 0
M o d u le 12 P ag e 1601
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G o D a d d y O u ta g e T a k e s D o w n M illio n s o f S ite s , A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility

M o n d a y , S e p te m b e r 1 0 th , 2 0 1 2
Final update: GoDaddy is up, and claim s that the outage w as due to internal errors and not a D D oS attack. According to m any custom ers, sites hosted by m ajor w eb host and dom ain registrar GoDaddy are dow n. According to the official GoDaddy Tw itter account the com pany is aw are of the issue and is w orking to resolve it. Update: custom ers are com plaining that GoDaddy hosted e-m ail accounts are dow na s w ell, along w ith GoDaddy phone service and all sites using GoDaddy's D N S service. Update 2 :Am em ber of Anonym ous know n as Anonym ousOw n3r is claim ing responsibility, and m akes it clear this is not an Anonym ous collective action. A tipster tells us that the technical reason for the failure is being caused bythe inaccessibility of GoDaddy's D N S servers specifically CN S1.SECU R ESER VER .N ET, C N S2.SECU R ESER VER .N ET, and C N S3.SECU R ESER VER .N ET are failing to resolve.
h t tp : //te c h c r u n c h .c o m
C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
S e c u r ity Nnus
N e w s o f S ite s ,
G o D a d d y O u ta g e T a k e s D o w n M illio n s
A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility S o u rc e : h t t p : / / t e c h c r u n c h . c o m F ina l u p d a t e : G o D a d d y is u p, a nd c la im s t h a t t h e o u t a g e w a s d u e t o i n t e r n a l e r r o r s a n d n o t a DDoS a tta c k . A c c o r d i n g t o m a n y c u s t o m e r s , sites h o s te d by m a j o r w e b h o s t a n d d o m a i n r e g is t r a r G o D a d d y a re d o w n . A c c o r d i n g t o t h e o f f i c i a l G o D a d d y T w i t t e r a c c o u n t , t h e c o m p a n y is a w a r e o f t h e iss u e a n d is w o r k i n g t o r e s o lv e it. U p d a t e : C u s t o m e r s are c o m p la i n i n g t h a t G o D a d d y h o s te d e - m a il a c c o u n ts a re d o w n as w e ll, a lo n g w i t h G o D a d d y p h o n e s e rv ic e a n d all sites u s in g G o D a d d y 's DNS se rvice. U p d a t e 2: A m e m b e r o f A n o n y m o u s k n o w n as A n o n y m o u s O w n 3 r is c l a i m in g r e s p o n s ib ilit y , a nd m a k e s it c le a r th is is n o t an A n o n y m o u s c o lle c tiv e a c tio n . A t i p s t e r te lls us t h a t t h e t e c h n ic a l r e a s o n f o r t h e fa i lu r e is b e in g c a u s e d by t h e in a c c e s s ib ility o f G o D a d d y 's DNS s e rv e rs s p e c ific a lly CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
a n d CNS3.SECURESERVER.NET a re fa i li n g t o re s o lv e .
A n o n y m o u s O w n 3 r s b io re a d s " S e c u r i t y l e a d e r o f # A n o n y m o u s ( O f f ic i a l m e m b e r " ) . " T h e i n d i v id u a l c la im s t o be fr o m Brazil, a n d h a s n 't issued a s t a t e m e n t as t o w h y G o D a d d y w a s ta rg e te d . Last y e a r GoDaddy was pressured into opposing SOPA as c u s t o m e r s t r a n s f e r r e d d o m a i n s o f f t h e se rv ic e , and th e com pany has been th e ce nte r of a fe w o th e r controversies. H ow ever,
A n o n y m o u s O w n 3 r has tw e e te d " I ' m n o t a n ti g o d a d d y , y o u g u ys w i ll u n d e r s t a n d b e c a u s e i d id t h is a t t a c k . "
Copyright 2012 AOL Inc. By Klint Finley http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
M o d u le O b jec tiv es
J IIS Webserver Architecture J Countermeasures J
Urt1fW4
C EH
tt*H4i Nath*
J Why Web Servers are Compromised? J Impact of Webserver Attacks
How to Defend Against Web Server Attacks Patch Management Patch Management Tools
J Webserver Attacks J Webserver Attack Methodology J Webserver Attack Tools J Metasploit Architecture
J L / ^ J
J Webserver Security Tools J Webserver Pen Testing Tools J Webserver Pen Testing
J Web Password Cracking Tools
C o p y rig h t b y IG -C O H C il. A ll R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
^ *>
M o d u le
O b je c tiv e s
O ft e n , a b re a c h in s e c u r it y causes m o r e d a m a g e in t e r m s o f g o o d w i l l t h a n in a c tu a l
q u a n t i f i a b l e loss. T his m a k e s w e b s e r v e r s e c u r it y c r it ic a l t o t h e n o r m a l f u n c t i o n i n g o f an o r g a n iz a tio n . M ost o rg a n iz a tio n s c o n s id e r th e ir web p re sence to be an e x te n s io n of
t h e m s e l v e s . This m o d u l e a t t e m p t s t o h ig h l i g h t t h e v a r io u s s e c u r it y c o n c e r n s in t h e c o n t e x t o f w e b s e r v e r s . A f t e r f i n is h i n g t h is m o d u l e , y o u w i ll a b le t o u n d e r s t a n d a w e b s e r v e r a n d its a r c h it e c t u r e , h o w t h e a t t a c k e r hacks it, w h a t t h e d i f f e r e n t ty p e s a tta c k s t h a t a t t a c k e r can c a rr y o u t o n t h e w e b s e rv e rs a re , t o o l s u sed in w e b s e rv e r h a c k in g , e tc . E x p lo r in g w e b s e r v e r s e c u r it y is a v a s t d o m a i n a n d t o d e lv e i n t o t h e f i n e r d e ta ils o f t h e d is c u s s io n is b e y o n d t h e s c o p e o f th is m o d u l e . T his m o d u l e m a k e s y o u f a m i l i a r i z e w i t h : e e e e e Q e e IIS W e b Server A r c h ite c tu re W h y W e b Servers A re C o m p r o m is e d ? Im p a c t o f W e b s e r v e r A tta cks W e b s e r v e r A ttacks W e b s e r v e r A tta c k M e t h o d o lo g y W e b s e r v e r A tta c k Tools M e ta s p lo it A r c h ite c tu re W e b Passw ord Cracking Tools e 0 e e e e e C o u n te rm e a su re s H o w t o D e fe n d A g a in s t W e b S e r v e r A t ta c k s Patch M a n a g e m e n t Patch M a n a g e m e n t T o o ls W e b s e r v e r S e c u r ity T o o ls W e b s e r v e r Pen T e s tin g T o o ls W e b s e r v e r Pen T e s tin g
M o d u le Flow
CEH
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
M o d u le
F lo w
T o u n d e r s t a n d h a c k in g w e b se rv e rs , f i r s t y o u s h o u ld k n o w w h a t a w e b s e r v e r is, h o w it f u n c t io n s , a nd w h a t a re t h e o t h e r e le m e n t s a s s o c ia te d w i t h it. All th e s e a re s i m p l y t e r m e d w e b s e r v e r c o n c e p ts . So f i r s t w e w i ll discuss a b o u t w e b s e r v e r c o n c e p ts .
W e b s e rv e r Concepts
-------------------
W e b s e rv e r Attacks
A tta c k M e th o d o lo g y
W e b s e rv e r A tta c k Tools
W e b s e rv e r Pen Testing
W e b s e rv e r Security Tools
Patch M a n a g e m e n t
C ou nter-m easures
This s e c tio n g ive s y o u b r i e f o v e r v i e w o f t h e w e b s e r v e r a n d its a r c h it e c t u r e . It w i ll also e x p la in c o m m o n re a s o n s o r m is t a k e s m a d e t h a t e n c o u r a g e a t ta c k e r s t o h a c k a w e b s e r v e r a n d b e c o m e su cc e ssfu l in t h a t . T his s e c tio n also d e s c r ib e s t h e i m p a c t o f a tta c k s o n t h e w e b s e rv e r.
Exam 3 1 2-50 C ertified Ethical H acker
W ebserver M a rke t Shares

I_____________ I_____________ I_____________ I_____________ I_____________ I
Apache Microsoft - I I S
64.6%
LiteSpeed I Google Server |
1.7% 1.2%
W e b
S e rv e r M a r k e t S h a re s
S o u rc e : h t t p : / / w 3 t e c h s . c o m T h e f o l l o w i n g s ta tis tic s s h o w s t h e p e r c e n ta g e s o f w e b s i t e s u sin g v a r io u s w e b s e rv e rs . F ro m t h e s ta tis tic s , it is c le a r t h a t A p a c h e is t h e m o s t c o m m o n l y u s e d w e b s e r v e r , i.e., 6 4 .6 % . B e l o w t h a t M i c r o s o f t IIS s e r v e r is u s e d b y 1 7 .4 % o f u sers.
Apache t
6 4 .6 %
Microsoft IIS
17.4%
Nginx
13 %
LiteSpeed
Google Server
Tomcat
Lighttpd J --------- 80%
10
20
30
40
50
60
70
FIGURE 12.1: Web Server Market Shares
Open Source Webserver Architecture

Site Users Site Admin Attacks I
CEH
r
:1 1 a
Linux 1 File System ^

PHP
........
* Apache
Email
Applications
C o m p ile d E x te n s io n
MySQL i f
O p e n
S o u rc e
W e b
S e rv e r A r c h ite c tu r e
T h e d ia g r a m
b e l l o w i llu s tr a te s t h e basic c o m p o n e n t s o f o p e n s o u r c e w e b s e rv e r
a r c h it e c t u r e .
Site Users
Site A d m in
A ttacks
&
* A
1
Internet
Linux
File System
J F M
" A p p lic a tio n s
A p ach e
Email
PHP f Compiled Extension M yS Q L y
FIGURE 12.2: Open Source Web Server Architecture
W h e re , L in u x - t h e s e rv e r's o p e r a t i n g s y s te m A p a c h e - t h e w e b s e rv e r c o m p o n e n t M y S Q L - a r e l a t io n a l d a ta b a s e PHP - t h e a p p li c a t i o n la y e r
IIS Web Server Architecture

Client HTTP Protocol Stack (HTTP.SYS)
CEH
In te rn e t In fo rm a tio n Services (IIS) fo r W indow s Server is a flexible , secure, and easy-to-m anage w eb server fo r hosting anything on th e w eb
i *
f t p
Kernel M ode User M ode :

+
Svchost.exe
Application Pool
W in d o w s A c tiv a tio n Service __________ (W AS)___________ W W W S e r v ic e B egin re q u e s t proce ssin g , a u th e n tic a tio n , a u th o riz a tio n , cache re s o lu tio n , h a n d le r m a p p in g , h a n d le r p re e x e c u tio n , rele a se sta te , a p p l ic a t io n H o s t . c o n f ig u p d a te cache, u p d a te lo g , a n d e n d re q u e s t p ro ce ssin g A nonym ous a u th e n tic a tio n , m a n a g e d e n g in e , IIS c e r tific a te m a p p in g , s ta tic file , d e fa u lt d o c u m e n t, HTTP c a ch e , HTTP e r r o r s , a n d HTTP lo g g in g F o rm s A u th e n tic a tio n M anaged M o d u le s
W eb Server Core
N ative M odules
AppDomain
External Apps
IIS Web Server Architecture

3 ------------ ---------------------------------------------------------------------------------
c 3 by
IIS, also k n o w n as In te rn e t In fo rm a tio n Service, is a w e b server a p p lic a tio n d e ve lo p e d
M ic ro s o ft th a t can be used w ith M ic ro s o ft W in d o w s . This is th e second largest w e b a fte r
A pache HTTP server. IT o ccupies a ro u n d 17.4% o f th e to ta l m a rk e t share. It s u p p o rts HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The dia g ra m th a t fo llo w s illu s tra te s th e basic c o m p o n e n ts o f IIS w e b se rve r a rc h ite c tu re :
Client HTTP Protocol Stack (HTTP.SYSI
Internet
Kernel M ode
User Mode
Svchost.exe
W in d o w s A c tiv a tio n S e rv ic e (W A S )
A p p lica tio n Pool
Web Server Core

B e g in r e q u e s tp r o c e s s in g / a u t h e n t ic a t io n , a u t h o r iz a t io n , c a c h e r e s o lu tio n , h a n d le r m a p p in g , h a n d le r p re * e x e c u tio n , r e le a s e s ta te ,
Native M odules
Anonym ous a u t h e n t ic a t io n , M a n a g e d e n g in e , IIS c e r t if ic a t e m a p p in g , s ta t ic file , d e f a u lt d o c u m e n t , H TTP c a c h e , H T T P e r r o r s , a n d H TTP lo g g in g
AppD om ain
Managed Modules
WWW Service
application Host.config
u p d a te c a c h e , u p d a te lo g , a n d e n d re q u e s t p r o c e s s in g
Forms Authentication
FIGURE 12.3: IIS Web Server Architecture
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved, R ep ro d u ctio n is Strictly P ro h ib ite d .
Website Defacement
J W eb defacem ent occurs when an intruder m aliciously alters visual appearance o f a w eb page by inserting or sub stituting provocative and fre que ntly offending data J Defaced pages exposes visitors to som e propaganda or misleading info rm atio n until the unauthorized change is discovered and corrected
Fie Ml few Hep
CEH
h t t p : / / ju g g y b o y . c o m / in d e x . a s p x
j_>
f f
Y o u
a re O W
N E D !!!!!!!
HACKED!
Hi Master, Your website owned by US, Hacker! Next target - microsoft.com
C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
Website Defacement
W e b s ite d e fa c e m e n t is a process o f changin g th e c o n te n t o f a w e b s ite o r w e b page by hacke rs. H ackers b rea k in to th e w e b servers and w ill a lte r th e hosted w e b s ite by cre a tin g s o m e th in g new . W e b d e fa c e m e n t occurs w h e n an in tru d e r m a lic io u s ly a lte rs th e visual appe a ra n ce o f a w e b page by in s e rtin g o r s u b s titu tin g p ro v o c a tiv e and fre q u e n tly o ffe n s iv e data. Defaced pages expose v is ito rs to p ro p a g a n d a o r m isle a d in g in fo rm a tio n u n til th e u n a u th o riz e d change is d isco ve re d and c o rre c te d .
World Wide Web

File Edit V iew Help
B O
FIGURE 12.4: W ebsite D efacement
U n n e c e s s a ry d e fa u lt, b a c k u p , o r s a m p le f il e s
I n s t a ll in g t h e s e r v e r w i t h d e f a u l t s e t t in g s
S e c u r it y c o n f li c t s w i t h b u s in e s s e a s e - o f use case
Im p r o p e r f ile a n d d i r e c t o r y p e r m is s io n s
M i s c o n f ig u r a t io n s in w e b s e r v e r , o p e r a t i n g s y s te m s , a n d n e tw o rk s
D e f a u lt a c c o u n t s w i t h t h e i r d e f a u l t o r n o p a s s w o rd s
L a c k o f p r o p e r s e c u r it y p o lic y , p r o c e d u r e s , a n d m a in t e n a n c e
S e c u r it y f la w s in t h e s e r v e r s o f t w a r e , O S a n d a p p li c a t io n s
B u g s in s e r v e r s o f t w a r e , O S , a n d w e b a p p l ic a t io n s
M i s c o n f ig u r e d SSL c e r t if ic a t e s a n d e n c r y p t io n s e t t in g s
Im p r o p e r a u t h e n tic a tio n w it h e x te r n a l s y s te m s
U s e o f s e lf - s ig n e d c e r t if ic a t e s a n d d e f a u l t c e r t if i c a t e s
A d m i n i s t r a t i v e o r d e b u g g in g f u n c t i o n s t h a t a r e e n a b le d o r a c c e s s ib le
U n n e c e s s a r y s e r v ic e s e n a b le d , in c lu d in g c o n t e n t m a n a g e m e n t a n d r e m o te a d m in is tr a tio n
Why Web Servers Are Compromised

T he re are in h e re n t s e c u rity risks associated w ith w e b servers, th e local area n e tw o rk s th a t h o st w e b sites and users w h o access th e se w e b s ite s using b row sers. 0 W e b m a s te r's C o ncern: From a w e b m a s te r's p e rsp e ctive , th e biggest s e c u rity co n ce rn is th a t th e w e b s e rv e r can expose th e local area n e tw o rk (LAN) o r th e c o rp o ra te in tra n e t to th e th re a ts th e In te rn e t poses. This m ay be in th e fo rm o f viruses, Trojans, atta cke rs, o r th e c o m p ro m is e o f in fo rm a tio n its e lf. S o ftw a re bugs p re s e n t in large co m p le x p ro g ra m s are o fte n co n sid e re d th e source o f im m in e n t s e c u rity lapses. H o w e ve r, w e b servers th a t are large c o m p le x devices and also com e w ith th e se in h e re n t risks. In a d d itio n , th e op en a rc h ite c tu re o f th e w e b servers a llo w s a rb itra ry scripts to run on th e se rve r side w h ile re p ly in g to th e re m o te requests. A n y CGI s c rip t in sta lle d at th e site m ay c o n ta in bugs th a t are p o te n tia l s e c u rity holes. Q N e tw o rk A d m in is tr a to r 's C o n ce rn : From a n e tw o rk a d m in is tra to r's p e rsp e ctive , a
p o o rly c o n fig u re d w e b se rve r poses a n o th e r p o te n tia l hole in th e local n e tw o rk 's s e c u rity . W h ile th e o b je c tiv e o f a w e b is to p ro v id e c o n tro lle d access to th e n e tw o rk , to o m uch o f c o n tro l can m ake a w e b a lm o s t im p o ssib le to use. In an in tra n e t e n v iro n m e n t, th e n e tw o rk a d m in is tra to r has to be ca re fu l a b o u t c o n fig u rin g th e w e b server, so th a t th e le g itim a te users are recognized and a u th e n tic a te d , and va rio u s g ro u p s o f users assigned d is tin c t access privile g e s.
End U ser's C o n ce rn : U sually, th e end user does n o t pe rce ive any im m e d ia te th re a t, as s u rfin g th e w e b appe a rs b o th safe and a n o n ym o u s. H o w e ve r, a ctive c o n te n t, such as A ctiveX c o n tro ls and Java a p p le ts, m ake it possible fo r h a rm fu l a p p lic a tio n s , such as viruses, to in vad e th e user's system . Besides, a ctive c o n te n t fro m a w e b s ite b ro w s e r can be a c o n d u it fo r m a licio u s s o ftw a re to bypass th e fire w a ll system and p e rm e a te th e local area n e tw o rk .
The ta b le th a t fo llo w s show s th e causes and consequ ences o f w e b se rve r co m p ro m ise s:

Cause In s ta llin g th e s e rv e r w it h d e fa u lt s e ttin g s Im p r o p e r file a n d d ir e c to r y p e rm is s io n s C onsequence
U nnecessary d e fa u lt, backup, o r sam ple file s
S e cu rity c o n flic ts w ith business ease-of-use case
D e fa u lt a c c o u n ts w it h th e ir d e fa u lt p a ssw o rd s U n p a t c h e d s e c u r it y f l a w s in t h e s e r v e r s o ftw a re , OS, a n d a p p lic a tio n s M i s c o n f i g u r e d SSL c e r t i f i c a t e s a n d e n c r y p tio n s e ttin g s U se o f s e lf-s ig n e d c e rtific a te s a n d d e fa u lt c e rtific a te s U n n e c e s s a ry s e rv ic e s e n a b le d , in c lu d in g c o n te n t m a n a g e m e n t and re m o te a d m in is tra tio n
M is c o n fig u ra tio n s in w e b server, o p e ra tin g system s and n e tw o rk s Lack o f p ro p e r s e c u rity policy, p ro ce d u re s, and m a in te n a n c e Bugs in se rve r s o ftw a re , OS, and w e b a p p lic a tio n s Im p ro p e r a u th e n tic a tio n w ith e x te rn a l system s A d m in is tra tiv e o r de b u g g in g fu n c tio n s th a t are ena b le d o r accessible
TABBLE 12.1: causes and consequences of w eb server com prom ises
Impact of Webserver Attacks
CEH
Crt1fW 4 Itil 1 (4 1 Nm Im
Data tampering Website defacement
Root access to other applications or servers
Impact of Web Server Attacks

A tta c k e rs can cause v a rio u s kinds o f dam age to an o rg a n iz a tio n by a tta c k in g a w e b server. The dam age in clud e s: C o m p ro m is e o f u se r a c c o u n ts : W e b se rve r attacks are m o s tly c o n c e n tra te d on user a c c o u n t c o m p ro m is e . If th e a tta c k e r is able to c o m p ro m is e a user a cco u n t, th e n th e a tta c k e r can gain a lo t o f useful in fo rm a tio n . A tta c k e r can use th e c o m p ro m is e d user a c c o u n t to launch fu r th e r a tta cks on th e w e b server. Q D ata ta m p e rin g : A tta c k e r can a lte r o r d e le te th e data. He o r she can even replace th e data w ith m a lw a re so th a t w h o e v e r co n n e cts to th e w eb se rve r also becom es c o m p ro m is e d . 0 W e b s ite d e fa c e m e n t: H ackers c o m p le te ly change th e o u tlo o k o f th e w e b s ite by
re p la c in g th e o rig in a l da ta . T hey change th e w e b s ite lo o k by changing th e visuals and d isp la y in g d iffe r e n t pages w ith th e messages o f th e ir o w n . S e co n d a ry a tta c k s fr o m th e w e b s ite : Once th e a tta c k e r co m p ro m is e s a w e b server, he o r she can use th e se rve r to launch fu r th e r attacks on va rio u s w e b s ite s o r c lie n t system s. 0 D ata th e ft : Data is one o f th e m ain assets o f th e c o m p a n y. A tta c k e rs can g e t access to s e n sitive da ta o f th e co m p a n y like source code o f a p a rtic u la r p ro g ra m .
M o d u le 12 Page 1616
R o o t access to o th e r a p p lic a tio n s o r s e rv e r: R oot access is th e h ig h e st p riv ile g e one gets to log in to a n e tw o rk , be it a d e d ic a te d server, s e m i-d e d ic a te d , o r v irtu a l p riv a te server. A tta c k e rs can p e rfo rm any a c tio n once th e y g e t ro o t access to th e source.
M o d u le Flow
CEH
Module Flow
C o n sid erin g th a t yo u becam e fa m ilia r w ith th e w e b se rve r concepts, w e m ove fo rw a rd to th e possible a tta cks on w e b se rve r. Each and e ve ry a ctio n on o n lin e is p e rfo rm e d w ith th e he lp o f w e b server. Hence, it is c o n s id e re d as th e critic a l source o f an o rg a n iz a tio n . This is th e sam e reason fo r w h ic h a tta c k e rs are ta rg e tin g w e b server. T here are m a n y a tta c k te c h n iq u e used by th e a tta c k e r to c o m p ro m is e w e b server. N o w w e w ill discuss a b o u t th o s e a tta c k te c h n iq u e s . a tta c k , HTTP response s p littin g a tta ck, w e b cache p o iso n in g a tta ck, h ttp response hijacking, w e b a p p lic a tio n a tta cks, etc.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g
W e b s e r v e r S e c u rity T o o ls
- y
P a tch M a n a g e m e n t
C o u n te r-m e a s u re s
M o d u le 12 P ag e 1 6 1 8
Ethical Hacking a n d C o u n te rm e a s u re s
Web Server Misconfiguration
CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft
Verbose debug/error
Remote Administration Functions
Anonymous or Default Users/Passwords
Unnecessary Services Enabled
Sample Configuration, and Script Files
Misconfigured/Default SSL Certificates
Web Server Misconfiguration

W eb s c rip ts , or s e rve rs h a ve v a rio u s v u ln e ra b ilitie s O nce th e s e v u ln e ra b ilitie s re la te d a re to c o n f ig u r a t io n , a p p lic a t io n s , file s , by th e a tta c k e r, lik e re m o te web pages. fo u n d a c c e s s in g t h e n e tw o rk of a a p p lic a tio n , th e n th e s e com pany. S e rve r These b e c o m e th e d o o rw a y s fo r th e of th e s e rv e r to can h e lp a tta c k e r to a tta c k e rs e n te r in to th e to bypass in user w eb
lo o p h o le s
a u th e n tic a tio n .
m is c o n fig u ra tio n
re fe rs
c o n fig u ra tio n
weaknesses
i n f r a s t r u c t u r e t h a t c a n b e e x p lo it e d t o la u n c h v a r io u s a tta c k s o n w e b s e rv e r s s u c h as d ir e c t o r y tra v e rs a l, s e rve r in tru s io n , and d a ta th e ft. O nce d e te c te d , th e s e p ro b le m s can be e a s ily
e x p l o i t e d a n d r e s u l t in t h e t o t a l c o m p r o m i s e o f a w e b s i t e . R e m o te a d m in is tr a tio n fu n c tio n s ca n be a s o u rc e fo r b re a k in g d o w n th e s e rv e r f o r th e a tta c k e r. 0 S o m e u n n e c e s s a r y s e rv ic e s e n a b le d a re a ls o v u ln e r a b le t o h a c k in g . M i s c o n f i g u r e d / d e f a u l t SSL c e r t i f i c a t e s . V e rb o se d e b u g /e rro r m essages. A n o n y m o u s o r d e fa u lt u s e rs /p a s s w o rd s . S a m p le c o n f ig u r a t io n a n d s c r ip t file s .
M o d u le 1 2
P ag e 1619
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
Web Server Misconfiguration Example

h ttp d .c o n f file on an A pache server < L o c a tio n / s e r v e r - s t a t u s > S e tH a n d le r s e r v e r - s t a t u s < / L o c a t io n >
CEH
This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed
php.ini file d i s p l a y _ e r r o r = On l o g _ e r r o r s = On e r r o r _ lo g = s y s lo g ig n o r e r e p e a t e d e r r o r s = O ff This configuration gives verbose error messages
C o p y rig h t b y E G -G tlin c il. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
f
ran
I
n
Web Server Misconfiguration Example

C o n s id e r th e h t t p d . c o n f file o n a n A p a c h e s e rv e r.
L 1
:J
< L o c a tio n
/s e rv e r-s ta tu s >
S e tH a n d le r s e r v e r - s t a t u s < /L o c a tio n >
FIGURE 12.5: httpd.conf file on an Apache server

T h is c o n fig u ra tio n a llo w s anyone to v ie w th e s e rv e r s ta tu s page th a t c o n ta in s d e ta ile d
in fo rm a tio n
a b o u t th e c u r r e n t use o f th e w e b s e rv e r, in c lu d in g in f o r m a t io n a b o u t t h e c u r r e n t
h o s ts a n d r e q u e s ts b e in g p ro c e s s e d . C o n s id e r a n o t h e r e x a m p le , t h e p h p .in i file .
d is p la y _ e rro r lo g _ e rro rs e rro r_ lo g ig n o re -
= On On
= s y s lo g e rro rs = O ff
re p e a te d
FIGURE 12.6: php.inifile on an Apache server

T h is c o n f ig u r a t i o n g iv e s v e r b o s e e r r o r m e s s a g e s .
M o d u le 1 2
P ag e 1620
C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Volume in drive C has no label. Volume Serial Number is D45E-9FEE
3 / I
j My Computer +1 3Vb floppy (A:) Local Disk (( B Ctocumcnte and Scttngs
! H t J Inetpub
http://server.eom/s cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c:\
Directory Traversal Attacks

W eb s e rve rs a re d e s ig n e d in such a way th a t th e p u b lic access is l i m i t e d to som e e x t e n t . D i r e c t o r y t r a v e r s a l is e x p l o i t a t i o n re s tric te d d ire c to rie s and e x e c u te o f HTTP th ro u g h o u ts id e of w h ic h a tta c k e r s a re a b le t o a cce ss th e web to s e rv e r ro o t d ire c to ry by com m ands use th e
m a n ip u la tin g
a URL. A tta c k e r s c a n
tria l-a n d -e rro r
m e th o d
n a v ig a te
o u ts id e
o f th e
r o o t d i r e c t o r y a n d a c c e s s s e n s it iv e i n f o r m a t i o n in t h e s y s t e m .
V o lu m e in drive C has no label. V o lu m e Serial N u m b e r is D45E-9FEE D ire cto ry o f C :\ 0 6 /0 2 /2 0 1 0 1 1 :3 1 A M 1,024 .rnd 0 123. te x t 0 AUTOEXEC.BAT <DIR> CATALINA_HOME 0 CONFIG.SYS <DIR> D ocum ents a n d Settings D ow nloads Intel Program Files S n o rt W INDOWS
h ttp ://s e rv e r.e o m /s c rip ts /..% 5 c ../W in d 0 w s /S y s te m 3 2 /c m d .e x e ? /c + d ir+ c :\
0 9 /2 8 /2 0 1 0 06:43 PM 0 5 /2 1 /2 0 1 0 03:10 PM 0 9 /2 7 /2 0 1 0 08:54 PM 0 5 /2 1 /2 0 1 0 03:10 PM 0 8 /1 1 /2 0 1 0 09:16 A M 0 9 /2 5 /2 0 1 0 05:25 PM 0 8 /0 7 /2 0 1 0 03:38 PM 0 9 /2 7 /2 0 1 0 09:36 PM 0 5 /2 6 /2 0 1 0 02:36 A M 0 9 /2 8 /2 0 1 0 09:50 A M
Q j
!v!v!Tffxl
company
1 downloads
<DIR> <DIR> <DIR> <DIR> <DIR>
E O im a g e s O n e w s
scripts
CJ su p p o rt
0 9 /2 5 /2 0 1 0 02:03 PM 569,344 W lnD um p.exe 7 File(s) 570, 368 bytes 13 Dir(s) 13,432 ,115,200 byte s free
FIGURE 12.7: D ire c to ry T ra v e rs a l A tta c k s
HTTP Response Splitting Attack

HTTP response splitting attack involves adding header response data into the input field so that the server split the response into two responses The attacker can control the first response to redirect user to a malicious website whereas the other responses will be discarded by web browser
Input = Jason
HTTP/1.1 200 OK Set-Cookie: author=Jason
CEH
(rt1fw< itkNjI NmIm
Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
y
S tr in g a u th o r = r e q u e s t . getParam eter(A U TH O R _PA RAM) ; C o o k ie c o o k ie = new C o o k ie ( " a u t h o r , a u t h o r ) ; c o o k i e . s e tM a x A g e ( c o o k ie E x p ir a t io n ) ; r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
F irs t R e s p o n s e (C o n tr o lle d b y A tta c k e r )
Set-Cookle: author=JasonTheHacker HTTP/1.1200 OK
Second R esponse
HTTP/1.1 200 OK
HTTP Response Splitting Attack

An HTTP response a tta c k is a w e b -b a se d a tta c k w h e re a se rve r is tric k e d by in je c tin g n e w lines in to response headers a lo ng w ith a rb itra ry code. C ross-Site S c rip tin g (XSS), Cross Site R eq u est F o rg e ry (CSRF), a n d SQL In je c tio n are som e o f th e exam ples fo r th is ty p e o f attacks. The a tta c k e r a lte rs a single re q u e s t to a p p e a r and be processed by th e w e b server as tw o req u ests. The w e b serve r in tu rn responds to each re q u e st. This is a cco m p lish e d by add in g h e a d e r response data in to th e in p u t fie ld . An a tta c k e r passes m a licio u s data to a v u ln e ra b le a p p lic a tio n , and th e a p p lic a tio n includes th e data in an HTTP response heade r. The a tta c k e r can c o n tro l th e fir s t response to re d ire c t th e user to a m a licio u s w e b s ite , w h e re a s th e o th e r responses w ill be d is c a rd e d by w e b b ro w s e r.
Input = Jason
HTTP/1.1 200 OK Set-Cookie: author=Jason
Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
F irs t R e s p o n s e (C o n tr o lle d b y A tta c k e r )
S tr in g a u th o r = r e q u e s t . getParam eter(A UTH OR_PA RAM) ; C o o k ie c o o k ie = new C o o k ie ( " a u t h o r " , a u t h o r ) ; c o o k i e . s e tM a x A g e (c o o k ie E x p ira t io n ) ; r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
Set-Cookie; author=JasonTheHacker HTTP/1.1 200 OK
S i
05 C O
S e c o n d R e sp o n se
HTTP/1.1200 OK
FIGURE 12.8: HTTP Response Splitting Attack
Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e r v e r s
Web Cache Poisoning Attack
CEH
Original Juggyboy page GET h ttp ://ju g g yb o y .co m /in d ex .h tm l H T T P/1.1 Pragma: no-cache Host: juggyboy.com A tta ck er sends request to re m o ve page fro m cache
h ttp ://w w w .ju g g y b o y .c o m /w e l

A ccept-Charset: iso-8859-1, * ,u t f 8 GET h ttp ://ju g g v b o y .c o m / N o rm al response a fte r clearing th e cache fo r juggyboy.com
com e.p h p ? la n g = < ?php h e a d e r (" L o c a tio n :" . $_G E T ['page ']); ?>
redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2 02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200 9%2014:50:18%20GMT*0d%0aConte ntLength :%2020%0d%0aContcnt Typc:%20text/htmf%0d%0a%0d%0a<html >Attack Pagc</html> HTTP/1.1
Host: Juggyboy.com GET h ttp ://ju g g yb o y .co m /in d ex .h tm l H T T P /1 .1 Host: testsite.com U ser-Agent: M o z illa /4 .7 [en] (W inN T; I) A ccept-Charset: i s o -8 8 5 9 - l,* ,u tf 8
A ttacker sends malicious request th a t g enerates tw o responses ( 4 and 6)
A tta ck er gets first server response
A tta c k e r re q u e s ts d ju g g y b o y .c o m again t o ge n e ra te cache e n try

The second A tta ck er gets th e second response of request [3 th a t points to I attac ke r's page Address www.juggyboy.com Pag* Attacker's page
An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache
P o is o n e d S e rv e r C ache
Web Cache Poisoning Attack

W e b c a c h e p o i s o n i n g is a n a t t a c k t h a t is c a r r i e d o u t i n c o n t r a s t t o t h e r e l i a b i l i t y o f a n i n t e r m e d i a t e w e b c a c h e s o u r c e , in w h i c h h o n e s t c o n t e n t c a c h e d f o r a r a n d o m w ith in fe c te d c o n te n t. o f tru e U sers and of th e web cache so u rce can u n k n o w in g ly re q u ire d U R L is s w a p p e d th e p o is o n e d th e use
c o n te n t in s te a d w e b cache.
s e c u re d
c o n te n t w h e n
d e m a n d in g th e
URL th ro u g h
A n a t t a c k e r f o r c e s t h e w e b s e r v e r 's c a c h e t o f lu s h its a c t u a l c a c h e c o n t e n t a n d s e n d s a s p e c ia lly c ra fte d re q u e st to s to re in c a c h e . In t h e fo llo w in g d ia g ra m , th e w h o le p ro c e s s o f w e b cache
p o i s o n i n g is e x p l a i n e d i n d e t a i l w i t h a s t e p - b y - s t e p p r o c e d u r e .
A ddm \ wAvvw.Ju!^Ylov.1utn GET h ttp ://ju g g y b o y .c o m /in d e M .h tm l H TTP/1.1 P ragm a: no-cache H o s t: ju g g yb o y.co m A cc e p t-C h a rse t: iso-8859 l , T,u tf-8
GET h ttp ://ju g g y b o y .c o m / rdir.php?site=%Od%OaContentL*ngth:%200% Od%Oa%Od%OaHTTP/l.l% 2 0 2 00 9(2 OOKHOdKOa LastM o difie d :% 20M on,% 202 7% 200ct% 20200 9 *20 14 :5 0:18 K 20 G M T % 0 d % 0a C o n te n tLengt h : 2 0 2 0%0d%0a Conte ntT yp :% 2 0tex t/htm l% 0d %0a%0d%08<htm! >Attack P age</htm l> H T T P /1 .1
Ofigln.il Juggyboy pagu
Server Cache
A tta c k e r sends re q u e s t t o re m o v e page fr o m cache h t t p : / / w w w . ju g g y b o y . c o m / w e l N o rm a l response a fte r cle a rin g th e cache fo rju g g y b o y .c o m c o m e .p h p ? la n g = < ? p h p h e a d e r ( " L o c a t io n : " . $ _ G E T ['p a g e ']) ; ?> A tta c k e r sends m a lic io u s re q u e s t th a t g e n e ra te s tw o re sponses (4 and 6)
A tta c k e r g e ts f ir s t se rv e r response
Host: juggyboy.com GET h ttp ://ju g g y b o y .c o m /in d e x .h tm l H TTP /1.1 H ost: te s ts ite .c o m U s e r-A g e n t: M o z illa /4 .7 [e n ] (W ln N T ; I) A c c e p t-C h a rs e t iso -8 8 5 9 l , ,utf-8
A t t a c k e r r e q u e s ts a ju g g Y b o y .c o m a g a in t o g e n e r a te c a c h e e n t r y A tta ck! ;e r g e ts th e second _ > _1 _ . W re q u e s t o f onse
......... ..........>
The ind res! .ponse o f requ
that p o in t! t o
:k e f's page
Address 1 igr
w w w .Ju K jjy t> y y co m
A tU ckvr'kp^w
P o is o n e d S e r v e r C a c h e
FIGURE 12.9: Web Cache Poisoning Attack
C o p y rig h t b y EG-GtUIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
HTTP Response Hijacking

HTTP response h ija ckin g is a cco m p lish e d w ith a response s p littin g re q u e st. In th is a tta c k , in itia lly th e a tta c k e r sends a re sp o n se s p littin g re q u e s t to th e w e b s e rv e r. The server sp lits th e response in to tw o and sends th e fir s t response to th e a tta c k e r and th e second response to th e v ic tim . On re c e iv in g th e response fro m w e b server, th e v ic tim re q u e sts fo r service by g iving c re d e n tia ls . A t th e sam e tim e , th e a tta c k e r re q u e sts th e in d e x page. Then th e w e b se rve r sends th e response o f th e v ic tim 's re q u e s t to th e a tta c k e r and th e v ic tim rem ains u n in fo rm e d . The dia g ra m th a t fo llo w s show s th e s te p -b y -s te p p ro c e d u re o f an HTTP response h ija ckin g a tta c k :
FIGURE 12.10: HTTP Response Hijacking
SSH B ru tefo rce A ttack

1^1
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network
CEH
Crt1fW 4 itfciul IUcIm(
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tun nel
SSH tunnels can be used to tra n s m it m alw ares and o th e r exploits to victim s w ith o u t being detected
I
M a il S e r v e r
User
Inte rn e t
SSH S e r v e r
W e b S e rv e r
A p p lic a tio n S e rv e r
F ile S e r v e r
A ttacker
SSH Brute Force Attack

SSH p ro to c o ls are used to c re a te an e n c ry p te d SSH tu n n e l b e tw e e n tw o hosts in o rd e r to tra n s fe r u n e n c ry p te d data o v e r an insecure n e tw o rk . In o rd e r to c o n d u c t an a tta c k on SSH, fir s t th e a tta c k e r scans th e e n tire SSH s e rv e r to id e n tify th e p o ssib le v u ln e ra b ilitie s . W ith th e he lp o f a b ru te fo rc e a tta c k , th e a tta c k e r gains th e login c re d e n tia ls . Once th e a tta c k e r gains th e login c re d e n tia ls o f SSH, he o r she uses th e sam e SSH tu n n e ls to tra n s m it m a lw a re and o th e r e x p lo its to v ic tim s w ith o u t b ein g d e te c te d .
I
Mail Server
Attacker
FIGURE 1 2 .1 1 : SSH B r u te F o r c e A tta c k
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
H acking W e b s e rv e rs
M an-in-theM iddle Attack

J
CEH
M an-in-the-M iddle (M ITM ) attacks allow an attacker to access sensitive info rm atio n by inte rceptin g and a lte ring com m unications betw een an end-user and webservers A ttacker acts as a proxy such th a t all the com m unication betw een the user and Webserver passes through him
N o rm a l T ra ffic
\p
oO*
tj
Webserver
Q "
A tta c k e r
ManintheMiddle Attack
A m a n - i n - t h e - m i d d l e a t t a c k is a m e t h o d w h e r e a n i n t r u d e r i n t e r c e p t s o r m o d i f i e s t h e m essage in tru d in g b e in g in to exchanged b e tw e e n th e an user and web s e rv e r th ro u g h e a v e s d ro p p in g or a c o n n e c tio n . T h is a llo w s a tta c k e r to s te a l s e n s itiv e in fo rm a tio n o f a user
s u c h as o n lin e b a n k in g d e ta ils , u s e r n a m e s , p a s s w o r d s , e tc . t r a n s f e r r e d o v e r t h e I n t e r n e t t o t h e w e b s e rv e r. T h e a tta c k e r lu re s t h e v ic tim to be a p ro xy. If th e v ic tim th e b e lie v e s to c o n n e c t to th e w e b s e rv e r th ro u g h and a g re e s to th e a tta c k e r 's re q u e s t, th e b y p re te n d in g th e n a ll th e
c o m m u n ic a tio n
b e tw e e n
user and th e
web
s e rv e r passes th ro u g h
a tta c k e r. T hu s, th e
a tta c k e r c a n s te a l s e n s itiv e u s e r in f o r m a tio n .
M o d u le 12
Page 1629
Ethical H acking a n d C o u n te rm e a s u re s
C o p y r ig h t b y
EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
U s e r v is it s a w e b s it e
N o r m a l T r a ffic
&
>
*
A t t a c k e r s n iffs t h e c o m m u n iic c a t io n t o ; s te a lI s e s s io n ID s
User
.
* * * ..
''' ^ 9 0
( f t v
es ..* .
< e ^
.*
, . , w
, 5 ''.
Attacker FIGURE 12.12: M an-in-the-M iddle Attack
Webserver Password Cracking

An attacker tries to exploit weaknesses to hack well-chosen passwords
C EH
* * * *
Many hacking attem pts start w ith

c ra c k in g p a s s w o r d s
The m ost com m on passwords found are password, root, adm inistrator, admin, demo, test, guest, qwerty, pet names, etc.
and th a t
p ro v e s
to th e they
W e b s e rv e r a re
a valid user
Attackers use diffe re n t m ethods such as social engineering, spoofing, phishing, using a Trojan Horse o r virus, w iretapping, keystroke logging, etc.
W e b f o r m a u t h e n t ic a t i o n c r a c k in g SSH T u n n e ls FTP s e r v e r s S M T P s e rv e rs W e b s h a re s
Web Server Password Cracking

--------M o s t hacking s ta rts w ith p assw ord cracking o n ly. Once th e passw ord is cracked, th e M o s t o f th e c o m m o n passw ords
QW ERTY,
ha cke r can log in in to th e n e tw o rk as an a u th o riz e d person.
fo u n d are p a s s w o rd , r o o t, a d m in is tr a to r , a d m in , d e m o , te s t, g u e st,
p e t na m e s, e tc.
A tta c k e rs use d iffe r e n t m e th o d s such as social e n g in e e rin g , sp o o fin g , p h ishing , using a T rojan horse o r viru s, w ire ta p p in g , k e y s tro k e logging, a b ru te fo rc e a tta c k , a d ic tio n a ry a tta ck, etc. to crack passw ords.
A tta c k e rs m a in ly ta rg e t:
W e b fo rm a u th e n tic a tio n cracking SSH tu n n e ls FTP servers SMTP servers W e b shares
Webserver Password Cracking Techniques

Passwords can be cracked by using following techniques:
EH
Passw ords may be cracked m anually o r w ith a u to m a te d to o ls such as Cain and Abel, Brutus, THC Hydra, etc.
Hybrid Attack
A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt
C o p y rig h t b y E G -C *a n cil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
gd
) 77( _
Web Server Password Cracking Techniques

P a ssw o rd s m ay be cra cke d m a n u a lly o r w ith a u to m a te d to o ls such as C a in & A b e l,
B ru tu s , T H C H y d ra , e tc . A tta c k e rs f o llo w v a rio u s te c h n iq u e s to c ra c k th e p a s s w o rd : G u e s s i n g : A c o m m o n c r a c k i n g m e t h o d u s e d b y a t t a c k e r s is t o g u e s s p a s s w o r d s e i t h e r b y h u m a n s o r b y a u t o m a t e d to o ls p r o v id e d w it h d ic tio n a rie s . M o s t p e o p le te n d t o u s e h e ir p e ts ' n a m e s , lo v e d p a s s w o r d s s u c h as th e m o n e s ' n a m e s , lic e n s e p la te n u m b e rs , d a te s o f b irth , o r o th e r w e a k
"Q W E R T Y ," " p a s s w o r d ," " a d m in , " e tc . so t h a t t h e y ca n r e m e m b e r
e a s ily . T h e s a m e t h i n g a llo w s t h e a t t a c k e r t o c r a c k p a s s w o r d s b y g u e s s in g .
D i c t i o n a r y A t t a c k : A d i c t i o n a r y a t t a c k is a m e t h o d t h a t h a s p r e d e f i n e d w o r d s o f v a r i o u s c o m b in a t io n s , b u t t h is m i g h t a ls o n o t b e p o s s ib le t o b e e f f e c t i v e i f t h e p a s s w o rd c o n s is ts
o f s p e c i a l c h a r a c t e r s a n d s y m b o l s , b u t c o m p a r e d t o a b r u t e f o r c e a t t a c k t h i s is l e s s t i m e c o n s u m in g . B ru te F orce A tta c k : In t h e b ru te fo rc e m e th o d , a ll p o s s ib le c h a ra c te rs a re te s te d , fo r
e x a m p le , u p p e rc a s e fr o m
"A to Z" o r n u m b e rs fro m
" 0 t o 9 " o r lo w e r c a s e "a t o z ." B u t p a s s w o rd s . W h e re a s if a
t h i s t y p e o f m e t h o d is u s e f u l t o i d e n t i f y o n e - w o r d o r t w o - w o r d p a s s w o rd c o n s is ts o f u p p e r c a s e and lo w e rc a s e le tte rs and
s p e c ia l c h a r a c te r s , it m ig h t
t a k e m o n t h s o r y e a r s t o c r a c k t h e p a s s w o r d , w h i c h is p r a c t i c a l l y i m p o s s i b l e .
H y b rid A tta c k : A h y b rid a tta c k is m o re p o w e rfu l as it uses b o th a d ic tio n a ry a tta c k and b ru te fo rc e a tta c k . It also consists o f sym bols and n u m b e rs. Password cracking becom es easier w ith th is m e th o d .
Web Application Attacks

J
W e b s e rv e r c o m p ro m is e
CEH
Crt1fW 4 itfciul Nm Im
V ulnerabilities in w eb applications running on a W ebserver provide a broad attack p ath for
rOss .
T **0rv
C kie
sPe, 'ring
erf/,O lv 4ft, acks
enia'0f.s ' s, a Z ' .
rg e ,
Site
At,
'n
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
Web Application Attacks

SL
V u ln e ra b ilitie s in w e b a p p lic a tio n s ru n n in g on a w e b server p ro v id e a b road a tta c k p a th fo r w e b se rve r c o m p ro m is e .

D ire c to ry T ra v e rs a l
D ire c to ry tra v e rs a l is e x p lo ita tio n o f HTTP th ro u g h w h ic h a tta cke rs are able to access re s tric te d d ire c to rie s and e x e cu te co m m a n d s o u ts id e o f th e w e b se rve r ro o t d ire c to ry by m a n ip u la tin g a URL.
P a r a m e te r /F o rm T a m p e rin g
This ty p e o f ta m p e rin g a tta c k is in te n d e d to m a n ip u la te th e p a ra m e te rs exchanged b e tw e e n c lie n t and se rve r in o rd e r to m o d ify a p p lic a tio n data, such as user c re d e n tia ls and p erm ission s, price and q u a n tity o f p ro d u cts, etc.
C o o k ie T a m p e r in g
C ookie ta m p e rin g is th e m e th o d o f p o is o n in g o r ta m p e rin g w ith th e c o o k ie o f th e c lie n t. The phases w h e re m o st o f th e atta cks are d o n e are w h e n sending a co o kie fro m th e c lie n t side to th e se rve r. P e rsiste n t and n o n -p e rs is te n t cookies can be m o d ifie d by using d iffe r e n t to o ls .
C o m m a n d In je c tio n A tta c k s
C om m an d in je c tio n is an a tta c k in g m e th o d in w h ic h a h a cke r a lte rs th e c o n te n t o f th e w e b page by using h tm l code and by id e n tify in g th e fo rm fie ld s th a t lack valid
c o n s tra in ts .
B u ffe r O v e rflo w A tta c k s
M o s t w e b a p p lic a tio n s are designed to sustain som e a m o u n t o f d a ta . If th a t a m o u n t is exceede d, th e a p p lic a tio n m ay crash o r m ay e x h ib it som e o th e r v u ln e ra b le b e h a v io r. The a tta c k e r uses th is a d va n ta g e and flo o d s th e a p p lic a tio n s w ith to o m uch data, w h ic h in tu rn causes a b u ffe r o v e rflo w a tta ck.
C r o s s - S it e S c r i p t i n g (X S S ) A t t a c k s
jr
C ross-site s c rip tin g is a m e th o d w h e re an a tta c k e r in je c ts H TM L tags o r scrip ts in to a ta rg e t w e b s ite .

D e n ia l-o f-S e rv ic e (D o S ) A tta c k
M
users.
A d e n ia l-o f-s e rv ic e a tta c k is a fo rm o f a tta c k m e th o d in te n d e d to te r m in a te th e o p e ra tio n s o f a w e b s ite o r a se rve r and m ake it u n a va ila b le to access fo r in te n d e d
U n v a l i d a t e d I n p u t a n d F ile i n j e c t i o n A t t a c k s
U n v a lid a te d in p u t and file in je c tio n atta cks re fe r to th e atta cks ca rrie d by s u p p ly in g an u n v a lid a te d in p u t o r by in je c tin g file s in to a w e b a p p lic a tio n .
C r o s s - S it e R e q u e s t F o r g e r y (C S R F ) A t t a c k
The u ser's w e b b ro w s e r is re q u e ste d by a m a licio u s w e b page to send re q u e sts to a m a lic io u s w e b s ite w h e re v a rio u s v u ln e ra b le a ctio n s are p e rfo rm e d , w h ic h are n o t in te n d e d by th e user. This kind o f a tta c k is d a n g e ro u s in th e case o f fin a n c ia l w e b s ite s .
SQL In je c tio n A tta c k s
SQL in je c tio n is a code in je c tio n te c h n iq u e th a t uses th e s e c u rity v u ln e ra b ility o f a datab a se fo r attacks. The a tta c k e r in je cts m a licio u s code in to th e strings th a t are la te r on passed on to SQL S erver fo r e x e c u tio n .
S e s s io n H ija c k in g
1131Session
h ija c k in g is an a tta c k w h e re th e a tta c k e r e x p lo its , steals, p re d icts, and
n e g o tia te s th e real va lid w e b session c o n tro l m e ch a n ism to access th e a u th e n tic a te d p a rts o f a w e b a p p lic a tio n .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s H a c k in g W e b s e r v e r s
M o d u le Flow
CEH
Module Flow
_ So fa r w e have d is c u s s e d web s e rv e r c o n c e p ts u s u a lly hack and v a rio u s te c h n iq u e s s e rv e r by fo llo w in g used by th e a tta c k e r to m e th o d . s e rve rs. hack w e b we se rv e r. A tta c k e rs a tta c k a web used a p ro ce d u ra l web Now w ill d is c u s s t h e m e th o d o lo g y by a tta c k e rs to c o m p ro m is e
We b s e r v e r C o n c e p t s
W e b s e rv e r A tta c k s
W e b s e rv e r P en T e s tin g
P a tc h M a n a g e m e n t
T h is s e c tio n p r o v id e s in s ig h t in to t h e a t t a c k m e t h o d o lo g y a n d t o o ls t h a t h e lp a t v a r io u s s ta g e s o f h a c k in g .
M o d u le 1 2 P a g e 1 6 3 6
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y
EC-C0UnCil
Webserver Attack Methodology
CEH
In fo rm a tio n G a th e rin g
W e b s e rv e r F o o tp rin tin g
V u ln e ra b ility S c a n n in g
H acking W eb serv er P a ssw o r d s
Web Server Attack Methodology

H a c k in g a web s e r v e r is a c c o m p l i s h e d in v a r i o u s s ta g e s . A t e a c h s ta g e th e a tta c k e r trie s to g a th e r m o r e in fo rm a tio n a b o u t lo o p h o l e s a n d tr ie s t o g a in u n a u t h o r iz e d a c ce ss t o t h e w e b s e rv e r. T h e s ta g e s o f w e b s e rv e r a t t a c k m e t h o d o lo g y in c lu d e :
I n f o r m a t io n G a th e r in g
E v e ry a t t a c k e r t r ie s t o c o lle c t as m u c h in fo rm a tio n
in fo rm a tio n
as p o s s ib le a b o u t t h e t a r g e t w e b in fo rm a tio n in
se rve r. O n ce th e
is g a t h e r e d , h e o r s h e t h e n a n a l y z e s t h e g a t h e r e d
o r d e r t o f i n d t h e s e c u r i t y la p s e s in t h e c u r r e n t m e c h a n i s m o f t h e w e b s e r v e r .
W e b S e rv e r F o o tp r in tin g
T h e p u r p o s e o f f o o t p r i n t i n g is t o g a t h e r m o r e i n f o r m a t i o n a b o u t s e c u r i t y a s p e c t s o f a w e b s e r v e r w i t h t h e h e l p o f t o o l s o r f o o t p r i n t i n g t e c h n i q u e s . T h e m a i n p u r p o s e is t o k n o w
a b o u t its r e m o t e a c c e s s c a p a b i lit ie s , its p o r t s a n d s e r v ic e s , a n d t h e a s p e c ts o f its s e c u r it y .
M i r r o r i n g W e b s ite
W
4 J ) W e b s ite m irro rin g is a m e t h o d o f c o p y in g a w e b s ite and its c o n te n t o n to a n o th e r s e rv e r fo r o fflin e b ro w s in g .
V u ln e r a b ilit y S c a n n in g
M o d u le 1 2 P a g e 1 6 3 7
EC-C0UnCil
V u ln e ra b ility scanning is a m e th o d o f fin d in g va rio u s v u ln e ra b ilitie s an d m is c o n fig u ra tio n s o f a w e b s e rv e r. V u ln e ra b ility scanning is d o n e w ith th e he lp o f va rio u s a u to m a te d to o ls kn o w n as v u ln e ra b le scanners. S e s s io n H i j a c k i n g Session h ija c k in g is possible once th e c u rre n t session o f th e c lie n t is id e n tifie d . C o m p le te c o n tro l o f th e user session is ta k e n o v e r by th e a tta c k e r by m eans o f session hijacking. H a c k in g W e b S e rv e r P a s s w o rd s A tta c k e rs use v a rio u s passw ord cracking m e th o d s like b ru te fo rc e attacks, h yb rid a tta cks, d ic tio n a ry attacks, etc. and crack w e b se rve r passw ords.
Webserver Attack Methodology: Information Gathering

Inform ation gathering involves collecting info rm atio n about the targeted com pany Attackers search the In te rn e t, newsgroups, b u lle tin boards, etc. fo r info rm atio n about the com pany Attackers use W hois, Traceroute, A ctive W hois, etc. tools and
CEH
i s . n e t
Y3ur Domain Starting Place...
UZ3
WHOIS information for ebay.com:***
query the W hois databases to get the details such as a domain name, an IP address, o r an autonom ous system num ber
[Querying who1s.vens1gn-grs.com] [whols.verislgn-grs.com] Who<5 Server Vereon 2.0 Domain names in the .com and .net domains can now be reoistered with rrorv diftoront competing raaistrars. Go to http;//w w w .intom < x t for detailed information. Domain Name: EBAY.COM Registrar: MARKM0N1T0R INC. Whois Server: w hois.m aricw iitor.com Reterral URL: http://www.marXmonicor.com Name Server: yC-ONSl.CDAYDNS.COM Sorvof: SJC DNS2.bBAYDNS.COM Namo sorvor: SMF DNS1.EBAYDNS.C0N Name sarver: SMF-DNSi.fcBAYDNS.COM Status: cllr)tO(HtcProhIhltd Status: clieritTrm sfPral 1ibit*d Status: dienWpdnteProhibited Status: serverDeieteProhibited Status: server TransferProh 1 b itod Status: sorvorUDdateProhibital updated Date: I 5 sep-2010 Creation Date: 04-aug-l995 Expiration Date: 03-aug-2018
N 3 m 0
Note: For com plete coverage o f in fo rm a tio n gathering techniques refer to M o d u le 02: F o otprinting and Reconnaissance
http://www. whois.net
Web Server $_, Gathering
Attack
Methodology:
Information
Every a tta c k e r b e fo re hacking fir s t c o lle cts all th e re q u ire d in fo rm a tio n such as ve rsio n s and te c h n o lo g ie s being used by th e w e b server, etc. A tta c k e rs search th e In te rn e t, n e w sgroup s, b u lle tin boards, etc. fo r in fo rm a tio n a b o u t th e c o m p a n y. M o s t o f th e a tta c k e rs ' tim e is sp e n t in th e phase o f in fo r m a tio n g a th e rin g o n ly. T h a t's w h y in fo rm a tio n g a th e rin g is b o th an a rt as w e ll as a science. T he re are m a ny to o ls th a t can be used fo r in fo rm a tio n g a th e rin g o r to g et d e ta ils such as a d o m a in nam e, an IP address, o r an a u to n o m o u s system n u m b e r. The to o ls in clu d e : e e e e 0 e W h o is T ra c e ro u te A c tiv e W h o is N m ap A n g ry IP Scanner N e tc a t W h o is
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Source: h ttp ://w w w .w h o is .n e t W h o is a llo w s you to p e rfo rm a d o m a in w h o is search and a w h o is IP lo o k u p and search th e w h o is datab a se fo r re le v a n t in fo rm a tio n on d o m a in re g is tra tio n and a v a ila b ility . This can help p ro v id e in s ig h t in to a d o m a in 's h is to ry an d a d d itio n a l in fo rm a tio n . It can be used fo r p e rfo rm in g a search to see w h o o w n s a d o m a in nam e, h o w m any pages fro m a site are listed w ith G oogle, o r even search th e W h o is address listings fo r a w e b s ite 's o w n e r.
W H O is .n e t
Your Domain Starting Place...
WHOIS inform ation fo r ebay.com :***

[Querying whois.verisign-grs.com] [whois.verisign-grs.com] Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://w w w .internic.net for detailed information. Domain Name: EBAY.COM Registrar: MARKMONITOR INC. Whois Server: whois.markmonitDr.com Referral URL: http://www.markmonitor.com Name Server: SJC-DNS1.EBAYDNS.COM Name Server: SJC-DNS2.EBAYDNS.COM Name Server: SMF-DNS1.EBAYDNS.COM Name Server: SMF-DNS2.EBAYDNS.COM Status: dientDeleteProhibited Status: dientTransferProhibited Status: dientUpdateProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 15-sep2010 Creation Date: 04-aug-1995 Expiration Date: 03-aug2018
FIGURE 12.13: WHOIS Information Gathering
H acking W e b s e rv e rs
Webserver Attack Methodology: Webserver Footprinting

J Gather valuable system-level info rm atio n such as account details, operating system, software versions, server names, and database schema details Telnet a Webserver to fo o tp rin t a Webserver and
CEH
Urt1fw4 ilhiul lUthM
gather information such as server nam e, server type, operating systems, applications running, etc.
J Use too l such as ID Serve, httprecon, and Netcraft to perform footprinting
Web Server Attack Methodology: Web server Footprinting

The p u rp o se o f fo o tp r in tin g is to g a th e r a cc o u n t d e ta ils, o p e ra tin g system and o th e r s o ftw a re v e rs io n s , s e rv e r nam es, an d d a ta b a se schem a d e ta ils and as m uch in fo rm a tio n as possible a b o u t s e c u rity aspects o f a ta rg e t w e b se rve r o r n e tw o rk . The m ain p u rp o se is to k n o w a b o u t its re m o te access c a p a b ilitie s , o p e n p o rts and services, and th e s e c u rity m echanism s im p le m e n te d . T e ln e t a w e b se rve r to fo o tp r in t a w e b server and g a th e r in fo rm a tio n such as server nam e, se rver ty p e , o p e ra tin g system s, a p p lic a tio n s ru n n in g , etc. Exam ples o f to o ls used fo r p e rfo rm in g fo o tp r in tin g in clu d e ID Serve, h ttp re c o n , N e tc ra ft, etc. N e tc ra ft Source: h ttp ://to o lb a r .n e tc r a ft.c o m N e tc ra ft is a to o l used to d e te rm in e th e OSes in use by th e ta rg e t o rg a n iz a tio n . It has a lre a d y been discussed in d e ta il in th e F o o tp rin tin g and Reconnaissance m o d u le .
M o d u le 12
Page 1641
Ethical H acking a n d C o u n te rm e a s u re s
C o p y r ig h t b y
EC-C0UnCil
r iE T C K A F T
e a r c h
e b
b y
o m
a in
E x p lo re 1 ,0 4 5 .7 4 5 w e b s it e s v is ite d by u s e r s o f th e N e tc ra ft T o o lb a r S e a rc h : s e a r c h t ip s
3 rd A u g u s t 2 0 1 2
j site contains
j ^microsoft
e x a m p l e : s it e c o n ta in s . n e tc r a ft.c o m
lookup!
e s u lt s
f o r
ic r o s o f t
Found 252 sites

S ite 1. 2. 3. 4. 5. 6. 7. 8. 9. w w w .m ic r o s o ft.c o m s u p p o r t . m ic r o s o f t . c o m t e c h n e t . m ic r o s o f t . c o m w in d o v < s .m ic ro s o ft.c o m m s d n . m ic r o s o f t . c o m o f f ic e . m ic r o s o f t . c o m s o c ia l. t e c h n e t . m ic r o s o f t . c o m a n s w e r s .m ic r o s o ft.c o m v 4 w w .u p d a te .m ic r o s o ft.c o m S ite R e p o r t a F ir s t s e e n a u g u st 1995 o c to b e r 1 9 9 7 a u g u st 1999 ju n e 1 9 9 8 N e tb lo c k m ic r o s o f t c o rp m ic r o s o f t c o rp m ic r o s o f t c o rp m ic r o s o f t c o rp OS c it r ix n e ts c a le r unknow n c it r ix n e ts c a le r w in d o w s s e r v e r 2 0 0 8 c it r ix n e ts c a le r unknow n c it r ix n e ts c a le r w in d o w s s e r v e r 2 0 0 8 w in d o w s s e r v e r 2 0 0 8 c it r ix n e ts c a le r c it r ix n e ts c a le r w in d o w s s e r v e r 2 0 0 8 w in d o w s s e r v e r 2 0 0 8 li n u x l in u x f 5 b ig ip w in d o w s s e r v e r 2 0 0 3 w in d o w s s e r v e r 2 0 0 8
m m
0
a
S e p te m b e r 1 9 9 8 m ic r o s o f t c o rp n o ve m b e r 1998 august 2008 august 2009 m ay 2007 august 2008 novem ber 2001 fe b u a ry 1 9 9 9 fe b u a ry 2 0 0 5 novem ber 2008 ja n u a r y 1 9 9 7 novem ber 2008 decem ber 2010 o c to b e r 2 0 0 5 m ic r o s o f t c o rp m ic r o s o f t c o rp m ic r o s o f t lim it e d m ic r o s o f t c o rp m ic r o s o f t c o rp m s h o t m a il m ic r o s o f t c o rp m ic r o s o f t c o rp a k a m a i t e c h n o lo g ie s a k a m a i i n t e r n a t io n a l b .v d ig it a l r iv e r ir e la n d ltd . m ic r o s o f t c o rp m ic r o s o f t c o rp
1
a
1
a
1 0 . s o c ia l. m s d n . m ic r o s o f t . c o m 1 1 . g o .m ic r o s o f t . c o m 1 2 . w in d o w s u p d a te .m ic r o s o f t . c o m 1 3 . u p d a t e . m ic r o s o f t . c o m 1 4 . w w w .m ic r o s o fttr a n s la to r .c o m 1 5 . s e a r c h . m ic r o s o f t . c o m 1 6 . w w w .m ic r o s o f t s t o r e . c o m 1 7 . lo g in . m ic r o s o f t o n lin e . c o m 1 8 . w e r .m ic r o s o f t . c o m
0
a
a a a
m
a
1
IB
FIGURE 12.14: W eb server Footprinting
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Webserver Footprinting Tools

h ttp r e c o n 7.3 - h ttp ://w w w .n y tim e s .c o m :8 0 / I I
CEH
F ile C onfiguration F ingerprinting R epcrting H elp T a *g e t (S u nO N EW ebS e rv e r6 .1 )

| h t b :/ / ^ | www.nytimes.com : 180
0
GET existing j GET Io n g e q u e s tj GET non-ex sting] GET wrong p rotocol)
ID S e rve
HTTP/1.1 200 OK Dace: Thu, 11 Oct 2012 09:34:37 GMT expires: Thu, 01 Dec 1994 16:00:00 GMT carhe-control: no-cache pragma: no-cache Sec-Cookie: ALT_ID=007f010021bb479dd5aa00SS; Expires 09:34:37 GMT; Path=/; Domain .nytimes.com; Sec-cookie: adxcs=-; path=/; do!rain=.nytimes.cam
ID Serve
Background
'
Internet Server Identifica.ion U tility, vl .0 2 Personal Security Freew are by Stev Steve G ibson Copyright (c) 2003 by Gibson Research Corp. 1 1 1 1 |
S S m
Serv2r Q uery | Q8A/Help
Enter 0* copy I paste an Internet server UR_ or IP address here (example: www.microsdt.com):
|www.google.coml
Matchfct (352 Implementations) | Fingerprint Details | Report Preview | Name
C 2
(3
Q u e ryT h eS ever
Server query process ng
w ^
W hen an Internet URL IP has been provided above, piess this button to initiate a query of the specified server.
a
S
Oracle Application Server 10g 10.1.2.2.0 Sun Java System W eb Server 7.0 Abyss 2.5.0.0 X1 Apache 2.0.52 Apache 2.2.6 r u 1 n c n_________________________
V V
V Ready
Server gws Content-Length: 221 XXSSProtectior: 1; mode-block XFromeOptions: SAMEORIGIN Connection: close
The seivef identified Ise* a s :
h ttp : //w w w .c o m p u te c .c h
(4
Goto ID Serve web page
h ttp : //w w w .g r c .c o m
Web Server Footprinting Tools

W e th e re a re h a v e a lr e a d y d is c u s s e d m o re to o ls th a t a b o u t th e you to N e tc ra ft to o l. p e rfo rm web In a d d i t i o n s e rv e r to th e N e tc ra ft to o l, They a re tw o a llo w fo o tp rin tin g . H t t p r e c o n a n d ID S e r v e .
H ttp re c o n
( ^ ' S o u rce : h ttp ://w w w .c o m p u te c .c h
H t t p r e c o n is a t o o l f o r a d v a n c e d w e b s e r v e r f i n g e r p r i n t i n g . T h e h t t p r e c o n p r o j e c t is d o i n g s o m e r e s e a r c h i n t h e f i e l d o f w e b s e r v e r f i n g e r p r i n t i n g , a l s o k n o w n a s h t t p f i n g e r p r i n t i n g . T h e g o a l is th e h ig h ly a c c u ra te id e n tific a tio n o f g iv e n h ttp d im p l e m e n t a t i o n s . T h is s o f t w a r e s h a ll i m p r o v e
t h e e a s e a n d e ffic ie n c y o f th is k in d o f e n u m e r a t i o n .
M o d u le 1 2 P a g e 1 6 4 3
EC-C0UnCil
httprecon 7.3 - http://w ww.nytim es.com :80/

File Configuration Fingerprinting Reporting Help
Target (Sun ONE Web Server G.1) http:// I |www.nytimes.com 80 Analyze
GET existing | GET long request | GET non-existing
\ GET wrong protocol
| HEAD existing | OPTIONS common
H T T P/1.1 200 OK D a te : T hu, 11 O ct 2012 0 9 :3 4 :3 7 GM T S e r v e r : A pache e x p i r e s : T hu, 01 Dec 1994 1 6 :0 0 :0 0 GM T c a c h e - c o n t r o l : n o -c a c h e p ra g m a: n o -c a c h e S e t- C o o k ie : A LT _ID =007f010021bb479ddSaa005S; E x p ir e s = F r i , 11 O ct 2013 0 9 :3 4 :3 7 GMT; P a th = /; D o m a in = .n y tim e s. com; S e t - c o o k i e : a d x c a = - ; p a t h = / ; d o m a in = .n y tim e s . com V a ry : H o st Matchlist (352 Implementations) | Fingerprint Details | Report Preview Name M Oracle Application Server 10g 10.1.2.2.0 H22 Sun Java System Web Server 7.0 # Abyss 2.5.0.0X1 Apache 2.0.52 Apache 2.2.6 V ncn Ready. I Hits 58 57 56 56 56 EC Match % 81.6301408450704 80.2816301408451 78.8732334366137 78.8732334366137 78.8732334366137 070000,1 70O CC1 7 /\
FIGURE 12.15: Httprecon Screenshot
ID
S e rv e
Source: h ttp ://w w w .g r c .c o m ID Serve is a s im p le In te rn e t se rve r id e n tific a tio n u tility . ID Serve can a lm o s t alw ays id e n tify th e m ake, m o d e l, and v e rs io n o f any w e b s ite 's s e rv e r s o ftw a re . This in fo rm a tio n is usually se n t in th e p re a m b le o f re plie s to w e b q u e rie s, b u t it is n o t sh o w n to th e user. ID Serve can also c o n n e c t w ith n o n -w e b servers to receive and re p o rt th a t se rve r's g re e tin g message. This g e n e ra lly reveals th e server's m ake, m o d e l, ve rsio n , and o th e r p o te n tia lly u seful in fo rm a tio n . S im ply by e n te rin g any IP address, ID Serve w ill a tte m p t to d e te rm in e th e a sso cia te d d o m a in nam e.
ID Serve
I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .0 2
ID S e r v e
Background Server Query
P e r s o n a l S e c u r ity F r e e w a r e
b y S te v e G ib s o n
Copyright (c) 2003 by Gibson Research Corp.
Q&A/Help
Enter or copy ! paste an Internet server URL or IP address here (example: www.microsoft.com): 1 w w w .g o o g le .c o m |
Query The Server
When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server.
Server query processing:
Server: gws Content-Length: 221 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Connection: close
The server identified itself as :
(4
Copy
|gw s_________________
Goto ID Serve web page
Exit
FIGURE 12.16: ID Serve
Webserver Attack Methodology: Mirroring aWebsite
CEH
M irro r a website to create a com plete profile o f the site's d ire cto ry stru cture , files stru cture , external links, etc Search fo r com m ents and o th e r items in the HTML source code to make fo o tp rin tin g activities more efficient Use tools HTTrack, W ebCopier Pro, B lackW idow , etc. to m irro r a website
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMmj log Window Help
H E* Freferences Mirro 13 i i , local Disk <(
P a*g H TM LH e
m h
r
3 2 0 . 2 6 * 8 2nr22 0 8 * t f . 1 9 K B / ) Ac*veconnect!o n e 1 l a v e d W a i c r t B ! F J r c d c d a f e d . 1 4 0 0
til . MyWebSltes Program Files It) *. Program Files MJ6( i 111 lhs til Windows j- -t ; NTUSSR.DAT H local Disk: D. M DVD RWDriv <& :Nw Volume <F
Tiro.
I r a i r f r * e
Erwi
7; M e n * :
Ji
J h ttp : //w w w .h tr o c k .c o m
C o p y rig h t b y EG-GlU IICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Web Server Attack Methodology: M irroring a Website

W e b s ite m irro rin g is a m e t h o d o f c o p y in g a w e b s ite and its c o n te n t o n to a n o th e r s e rv e r. B y m ir r o r in g a w e b s it e , a c o m p le t e p r o file o f t h e s ite 's d ir e c t o r y s tr u c t u r e , file s t r u c tu r e , e x t e r n a l lin k s , e tc . o th e r ite m s in t h e is c r e a t e d . O n c e t h e H T M L so u rc e code to m irr o r w e b s ite m ake is c r e a t e d , s e a r c h a c tiv itie s fo r c o m m e n ts and
fo o tp rin tin g
m o re
e ffic ie n t. V a rio u s
to o ls u s e d f o r w e b s e rv e r m ir r o r in g in c lu d e H T T ra c k , W e b r ip p e r 2 .0 , W in W S D , W e b c o p ie r , a n d B la c k w id o w .
C
S o u rce : h ttp ://w w w .h ttr a c k .c o m H T T r a c k is a n o f f l i n e b r o w s e r u t i l i t y . I t a l l o w s y o u t o d o w n l o a d a W o r l d W i d e W e b s i t e f r o m t h e I n t e r n e t t o a lo c a l d i r e c t o r y , b u i l d i n g r e c u r s i v e l y a ll d i r e c t o r i e s , g e t t i n g H T M L , im a g e s , a n d o t h e r file s fro m th e se rve r to your c o m p u te r. H T T ra ck a rra n g e s th e o rig in a l s ite 's re la tiv e lin k -
s t r u c t u r e . S im p ly o p e n a p a g e o f t h e " m i r r o r e d " w e b s i t e in y o u r b r o w s e r , a n d y o u c a n b r o w s e t h e s ite f r o m lin k t o lin k , as if y o u w e r e v i e w in g it o n lin e .
M o d u le 1 2 P a g e 1 6 4 6
EC-C0UnCil
H
File
B jj 0 j H a B B J. i.
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]

Preferences terror Log Window JHelp
In progress: Information Bytes saved: 320.26KB Time: 2min22s Transferrate: OB/s (1.19MB/3) Active connections: 1 [Actions Links scanned: Files written: Fles updated: Errors: 2/14 (.13) 14 Parang HTML He
L o c a l D is k <C :> C E H -T o o ls d e ll in e tp u b In te l
M y W e b S ite s
g ) J j P r o g ra m Files a J j & J 1 a L Q a a a ^ P r o g ra m Files (x86) U sers W in d o w s N T U S E R .D A T
0 0
L o c a l D is k < D :> D V D R W D riv e <E:> . N e w V o lu m e <F :>
El ,
;Back
Next >
Cancel
Help
FIGURE 12.17: Mirroring a W ebsite
Webserver Attack Methodology: Vulnerability Scanning

Perform vulnerability scanning to identify weaknesses in a network and determine ifth e system can be exploited Use a vulnerability scanner such as HP Weblnspect, Nessus, Zaproxy, etc. to find hosts, services, and vulnerabilities J J
CEH
Sniff the network traffic to find out active systems, netw ork services, applications, and vulnerabilities present Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities
C o p y rig h t b y K - M I C i l . A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Web Server Attack Scanning
Methodology:
Vulnerability
V u ln e ra b ility scanning is a m e th o d o f d e te rm in in g va rio u s v u ln e ra b ilitie s and m is c o n fig u ra tio n s o f a ta rg e t w e b se rve r o r n e tw o rk . V u ln e ra b ility scanning is d o n e w ith th e help o f v a rio u s a u to m a te d to o ls k n o w n as v u ln e ra b le scanners. V u ln e ra b ility scanning a llo w s d e te rm in in g th e v u ln e ra b ilitie s th a t exist in th e w e b se rve r and its c o n fig u ra tio n . Thus, it helps to d e te rm in e w h e th e r th e w e b se rve r is e x p lo ita b le o r n o t. S n iffin g te c h n iq u e s are a d o p te d in th e n e tw o rk tr a ffic to fin d o u t a c tiv e syste m s, n e tw o r k services, a p p lic a tio n s , an d v u ln e ra b ilitie s p re s e n t. Also, a tta c k e rs te s t th e w e b se rve r in fra s tru c tu re fo r any m is c o n fig u ra tio n , o u td a te d c o n te n t, and k n o w n v u ln e ra b ilitie s . V a rio u s to o ls are used fo r v u ln e ra b ility scanning such as HP W e b ln s p e c t, Nessus, Paros proxy, etc. to fin d hosts, services, and v u ln e ra b ilitie s . N essus S ource: h ttp ://w w w .n e s s u s .o rg Nessus is a s e c u rity scanning to o ls th a t scan th e system re m o te ly and re p o rts if it d e te c ts th e v u ln e ra b ilitie s b e fo re th e a tta c k e r a c tu a lly a tta c k s and co m p ro m is e s th e m . Its fiv e fe a tu re s in clud es high-spee d d isco ve ry, c o n fig u ra tio n a u d itin g , asset p ro filin g , se n sitive data discovery, p a tch m a n a g e m e n t in te g ra tio n , and v u ln e ra b ility analysis o f y o u r s e c u rity p o s tu re w ith fe a tu re s
M o d u le 12 P ag e 1648 Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
t h a t e n h a n c e u s a b i l i t y , e f f e c t i v e n e s s , e f f i c i e n c y , a n d c o m m u n i c a t i o n w i t h a ll p a r t s o f y o u r o rg a n iz a tio n .
FIGURE 12.18: Nessus Screenshot
Webserver Attack Methodology: Session Hijacking

Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data
CEH
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking burp su ite f re e e d itio n v 1 A 0 1
J curp intruder repeater laiget window about s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts
l l W
ig not found items hiding CSS image and gereral aina rr content 1 iS -g .l-e=pcn=e= hiding empty folders http :A leco no mi dim e 5 indiatime s o hltpVJedition cnn 00m 9 host ht*p Aedtar c /8nnr5s1/3<lsj3m cs;
MIME typi HTML
wrr *------ - I "1 http iVedition c

add item to 9cope cpiaortnis branch adfaely scan this branch passively scan this branch engagem ent took [pro version onlf] compare site m aps *ipand branch oxpana rcquoctca noms delete branch copy URL# in this blanch copy nnK3 in tnis orancn save selected items 5: 0 reaueat
|~param s
T / . L nc / m r 1 b r e a J c i n g n ? / 3 . 0 / b a n n e r . n tro l T P / 1 .1 8c: e d i t ion.cnn.c o
.'* 11
headers [ r*x |
? c m
h dc*11
ec-laent: Kcsilid/S.O 1Vind03 I1T 6.2; W0V61; uv:lS.QI

c k o / :0 1 0 0 1 0 1 r i r r f o x / L 5 . 0 . J I A c c e p t: t r x t / j v o 3 c c i p c , t e x t / h t n L , p p L i c o t i o n / x m l , t e x t / x m l ,
I :
|]
| 0 matches
h ttp : //p o r ts w ig g e r .n e t
C o p y rig h t b y EG -G (U ncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
N o t e : F o r c o m p le t e c o v e r a g e o f S e s s io n H ija c k in g c o n c e p t s a n d te c h n iq u e s r e f e r t o M o d u le 1 1 : S e s s io n H ija c k in g
Web Server Attack Methodology: Session Hijacking

1 1
S e s s io n c o n tro l
h ija c k in g of th e
is
p o s s ib le s e s s io n
once can
th e be
c u rre n t ta k e n
s e s s io n by
of th e
th e
c lie n t
is
id e n tifie d . th e user
C o m p le te
user
over
a tta c k e r
once
e s ta b lis h e s a u t h e n tic a tio n w it h th e s e rv e r. W it h th e h e lp o f s e q u e n c e n u m b e r p re d ic tio n to o ls , a tta c k e rs p e rfo rm th e sequence user s e s s io n of th e h ija c k in g . T h e a tta c k e r , a f t e r id e n t if y in g t h e th e next packet w ith to th e th is and th e n sends th e o p e n s e s s io n , p r e d ic ts p a c k e ts Thus, use b e fo re an th e
num ber sends
d a ta
le g itim a te p e rfo rm s h ija c k in g
response In
c o rre c t
sequence you
n u m b e r. can a ls o
a tta c k e r s e s s io n e tc . t o B u rp
s e s s io n
h ija c k in g . such
a d d itio n
te c h n iq u e ,
o th e r
te c h n iq u e s s e s s io n
as s e s s io n ID s.
fix a tio n ,
s e s s io n
s id e ja c k in g ,
c ro s s -s ite
s c rip tin g ,
c a p tu r e v a lid
c o o k ie s a n d
V a rio u s to o ls
u s e d f o r s e s s io n
h ija c k in g
in c lu d e
S u ite , H a m s te r , F ire s h e e p , e tc .
B u r p S u ite
___ S o u r c e : h t t p : / / p o r t s w i g g e r . n e t B u rp S u ite is a n in te g ra te d p la tfo rm fo r p e rfo rm in g to su p p o rt a tta c k s e c u rity te s tin g th e e n tire of w eb a p p lic a tio n s . fro m Its
v a rio u s m a p p in g s e c u rity
to o ls and
w o rk
s e a m le s s ly of an
to g e th e r
te s tin g to
p ro c e s s , fin d in g
in itia l
a n a ly s is
a p p lic a tio n 's key
s u rfa c e , S u ite
th ro u g h in c lu d e
and
e x p lo itin g in tru d e r
v u ln e ra b ilitie s . T h e
c o m p o n e n ts
o f B u rp
p ro x y ,
sca n n e r,
t o o l, r e p e a te r t o o l, s e q u e n c e r t o o l, e tc .
M o d u le 1 2 P a g e 1 6 5 0
EC-C0UnCil
b u r p s u it e f r e e e d i t i o n v 1 .4 .0 1
b u rp ta rg e t s ite m a p in tru d e r r e p e a te r s p id e r w in d o w about [ in tr u d e r | re p e a te r [ s e q u e n c e r | decoder [ c o m p a re r [ o p tio n s | a le rts
0-
\ scanner
\ scope
Filter;
9
h id in g n o t fo u n d ite m s ; h id in g C S S , im a g e a n d g e n e ra l b in a ry c o n te n t h id in g 4xx r e s p o n s e s ; h id in g e m p ty fo ld e rs host
* h ttp 7 /e c o n o m ic tim e s in d ia tim e s .c o m h ttp ://e d itio n .c n n .c o m
method
GET
URL
/ e le m e n t/s s i/a d s .ifr a m e s /
p a ra m s
s ta tu s
200
676
length IM IM E tj typ< HTML
0 .el( http://editi0n.cnn.c0m/.element D add ite m to s c o p e o- 2]20 spider this branch

a c tiv e ly s c a n th is b ra n c h
O - CDBU
O - D cn 0 E L I
p a s s iv e ly s c a n th is b ra n c h e n g a g e m e n t to o ls [p ro v e rs io n o n ly] c o m p a re s ite m a p s e x p a n d b ra n c h e x p a n d re q u e s te d Ite m s d e le te b ra n c h c o p y U R L s In th is b ra n c h c o p y lin k s in th is b ra n c h sponse re q u e s t ' h e a d e rs | hex |
0 O
eu
M ' ]
p a ra m s
T / . e l e r o e n c / 3 3 i / i n c l / b r e a k i n g _ n e v s / 3 . O /b a n n e r . h c m l? c s i I D = c s i i T P /1 .1
3c: ed ic io n .c n n .c o m e r - A g e n c : H o z i l l a / 5 . 0 ( W i n d o w s NT 6 . 2 ; WOW64; c v : i 5 . 0 ) cko/2 0 1 0 0 1 0 1 F i r e f o x / 1 5 .0 .1 A ccepc: c e x c / j a v a a c r lp c , c e x c/h cro l, a p p llc a C lo n /x m l, c e x c /x m l.
* LJ SH
s a v e s e le c te d Ite m s
FIGURE 12.19: Burp Suite Screenshot
Webserver Attack Methodology: Hacking Web Passwords

Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack Webserver passwords Use tools such as Brutus, THC-Hydra, etc.
File lo o ls Help
Brutus - AET2 - www.hoobie.net/brutus - (January 2000)
1~ I
Target
|10.0017|
Type I HTTP (Basic Auth)
Start | Stop | Deaf |
Connection Options Connections * " J~ HTTP (Basic) Options Method | HEAD ]J W KeepAive 10 Timeout 1 " jr Use Proxy Define
Authentication Options W Use Username User File users txt Sngle User Browse | Pass Mode |Word List File |words.txt
Positrve Authentication Results Target 10.0 0 1 7 / 10.0 0 1 7 / _U ype HTTP (Basic Auth) HTTP (Basic Auth) I Username admin backup I Password academic
Located and nstaled 1 authentication plugnns Imtialisng... Target 10.0 0 1 7 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Maxrrtum number ot authentication attempts wJ be 4908 Engagng target 10.0.017 with HTTP (Basic Auth)
T n irwi irofrt am o
Timeout
Reject
Auth Seq
Throttle Quick K ill
h ttp : //w w w .h o o b ie .n e t
Web Server Attack Methodology: Hacking Web Passwords

One o f th e m a in tasks o f any a tta c k e r is passw ord hacking. By hacking a passw ord, th e a tta c k e r gains c o m p le te c o n tro l o v e r th e w e b server. V a rio u s m e th o d s used by a tta cke rs fo r passw ord hacking in clu d e p a s s w o rd guessing , d ic tio n a ry a tta c k s , b ru te fo rc e a tta c k s , h y b rid a tta c k s , s y lla b le a tta c s k , p re c o m p u te d hashes, ru le -b a s e d a tta c k s , d is tr ib u te d n e tw o rk a tta c k s , r a in b o w a tta c k s , etc. Passw ord cracking can also be p e rfo rm e d w ith th e he lp o f to o ls such as B rutus, TH C -H ydra, etc. B ru tu s
O :
Source: h ttp ://w w w .h o o b ie .n e t
B ru tus is an o n lin e o r re m o te p assw ord cracking to o ls . A tta c k e rs use th is to o l fo r hacking w e b p assw ords w ith o u t th e k n o w le d g e o f th e v ic tim . The fe a tu re s o f th e B rutus to o l are been e xp la in e d b rie fly on th e fo llo w in g slide.
Brutus - AET2 www.hoobie.net/brutus ( January 2000)

File J o o ls H elp
Target |10.0.0.17 | C onnection O ptions P ort 1 80 H T T P(B asic) O ptions M ethod [H E A D

WK eepA live
T ype | H T T P(B asicA u(h) ~ | 10 T im eout r T 10
S tar( j Stop C lear
r U se P roxy D efine
A uthentication O ptions U se U sernam e I - Single U ser U ser F ile users.txt PositiveA uthentication R esults T arget
10.0.0.17/
Pass M ode f B row se Pass F ile U sernam e adm in backup Passw ord academ ic B row se
10.0.0.17/
H T TP(B asicA uth) H T TP(B asicA uth)
Type
T rmn 1
Located and installed 1authentication plug-ins In itialising... Target 10.0.0.17 verified O pened user filecontaining 6users. O pened passw ord filecontaining 818 Passw ords. M axim umnum ber of authentication attem pts w ill be 4908 E ngaging target 10.0.0.17 w ithH T T P(B asicA uth)
arJrr.1
a
-
T im eout
R eject AuthSeq T hrottle Q uickK ill
FIGURE 12.20: Brutus Screenshot
M o d u le Flow
CEH
Module Flow
The to o ls in te n d e d fo r m o n ito rin g and m anaging th e w e b se rve r can also be used by a tta c k e rs fo r m a lic io u s purposes. In th is day and age, a tta cke rs are im p le m e n tin g va rio u s m e th o d s to hack w e b servers. A tta c k e rs w ith m in im a l kn o w le d g e a b o u t hacking usually use s fo r hacking w e b servers.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
W ebserver A ttack Tools
0
W e b s e rv e r Pen T e s tin g W e b s e r v e r S e c u rity T o o ls
o m m
- y
This se ctio n lists and describes v a rio u s w e b se rve r a tta c k to o ls .
M o d u le 12 P ag e 1 6 5 4
Webserver Attack Tools: Metasploit

The Metasploit Framework is a penetration testing to o lkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM
(J)m me etasplo t it
fe V ModutM Tag* Q Atporto T a li 0
m
Target S y ilt tn Statu O ptrabng Sy*trm (Top )
MOkom * * 4 IS m d
UM cm o lW M o M
Mm MKnaPnw
I1 0 0 M
PTOftCl Activity (24 N o un )
Nctw oft S n v K t i (Top S)
2tC DCIW C I II M S K M t t )7 HETBOSS***(** M U S A O P S ffw ctt
n usnus(Bvv^
h ttp : //w w w .m e ta s p lo it.c o m

C o p y rig h t b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d
Web Server Attack Tools: Metasploit

S ource: h ttp ://w w w .m e ta s p lo it.c o m The M e ta s p lo it fra m e w o rk m akes d isco ve rin g , e x p lo itin g , and sh a rin g v u ln e ra b ilitie s q u ick and re la tiv e ly painless. It enable s users to id e n tify , assess, and e x p lo it v u ln e ra b le w e b a p p lica tio n s. Using VPN p iv o tin g , yo u can run th e NeXpose v u ln e ra b ility scanner th ro u g h th e c o m p ro m is e d w e b se rve r to d is c o v e r an e x p lo ita b le v u ln e ra b ility in a database th a t hosts c o n fid e n tia l c u s to m e r data and e m p lo y e e in fo rm a tio n . Y our te a m m e m b e rs can th e n le ve ra g e th e d a ta g a in e d to c o n d u c t social e n g in e e rin g in th e fo rm o f a ta rg e te d p h is h in g c a m p a ig n , o p e n in g up n e w a tta c k v e c to rs on th e in te rn a l n e tw o rk , w h ic h are im m e d ia te ly visib le to th e e n tire te a m . Finally, yo u g e n e ra te e x e c u tiv e and a u d it re p o rts based on th e c o rp o ra te te m p la te to ena b le y o u r o rg a n iz a tio n to m itig a te th e atta cks and re m a in c o m p lia n t w ith Sarbanes O xley, HIPAA, o r PCI DSS. M e ta s p lo it enables te a m s o f p e n e tra tio n te s te rs to c o o rd in a te o rc h e s tra te d atta cks against ta rg e t system s and fo r te a m leads to m anage p ro je c t access on a p e r-u s e r basis. In a d d itio n , M e ta s p lo it in clu de s c u s to m iz a b le re p o rtin g .
M e ta s p lo it e n a b le s y o u to :
C o m p le te
p e n e tra tio n
te s t assignm ents fa s te r by a u to m a tin g
re p e titiv e tasks and
le ve ra g in g m u lti-le v e l attacks
A ssess th e s e c u rity o f w e b a p p lic a tio n s , n e t w o r k a n d e n d p o in t s y s te m s , as w e ll as e m a il u s e rs
E m u la te re a lis tic n e t w o r k a tta c k s b a s e d o n t h e le a d in g M e t a s p lo it f r a m e w o r k w it h m o r e t h a n o n e m i l l i o n u n i q u e d o w n l o a d s in t h e p a s t y e a r
0 0 0
T e s t w it h t h e w o r ld 's la rg e s t p u b lic d a ta b a s e o f q u a lity a s s u re d e x p lo its T u n n e l a n y tra ffic th ro u g h c o m p ro m is e d ta rg e ts to p iv o t d e e p e r in to th e n e tw o r k C o lla b o ra te m o r e e ffe c tiv e ly w ith te a m m e m b e r s in c o n c e r t e d n e t w o r k t e s t s
C u s to m iz e th e c o n t e n t a n d t e m p la t e o f e x e c u tiv e , a u d it, a n d te c h n ic a l re p o r ts
( J m e ta s p lo it
lMlpnO
L S*M*oW 0
V Ctfnpognt
T ag*
R e p o rt!
TmJ Q
Tiiftl System Statu*
Operating Sylem [Top )

MHonNMnocm
M D n c o w fM
1 *L O O M )
l MM
2^0!0ffn tw O O cO
1 HP *rC*O0*0
2 Konca P m t t
Project Activity (24Hours)

N efw ortc Services (Top )

270 DCERPC Server* 3 7 -N T B O S S r< vcr* MS T W *S(RV S ^ v c r * 20 MCSÔO S r fv c r *
1X4SM 6S tokt*
FIGURE 12.21: M etasploit Screenshot
M o d u le 1 2 P a g e 1 6 5 6
EC-C0UnCil
Metasploit Architecture
CEH
Crt1fW 4 Itil 1 (4 1 Nm Im
Rex Custom plug-ins ^ : Interfaces mfsconsole msfcli msfweb msfwx msfapi Framework-Core Framework-Base A ^ k" Protocol Tools
K
Security Tools Web Services Integration
Modules
Exploits Payloads Encoders NOPS Auxiliary
Metasploit Architecture
The M e ta s p lo it fra m e w o rk is an o p e n -so u rce e x p lo ita tio n fra m e w o rk th a t is designed to p ro v id e s e c u rity researchers and pen te s te rs w ith a u n ifo rm m o d e l fo r ra p id d e v e lo p m e n t o f e x p lo its , payloads, e nco de rs, NOP g e n e ra to rs , and reconnaissance to o ls . The fra m e w o rk p ro v id e s th e a b ility to reuse large chunks o f code th a t w o u ld o th e rw is e have to be co pied o r re im p le m e n te d on a p e r-e x p lo it basis. The fr a m e w o r k w a s d e sig n e d to be as m o d u la r as p o s s ib le in o rd e r to e n c o u ra g e th e reuse o f code across v a rio u s p ro je c ts . The fra m e w o rk its e lf is b ro k e n d o w n in to a fe w d iffe r e n t pieces, th e m o s t lo w -le v e l being th e fra m e w o rk core. The fra m e w o rk co re is re sp o n sib le fo r im p le m e n tin g all o f th e re q u ire d in te rfa c e s th a t a llo w fo r in te ra c tin g w ith e x p lo it m o d u le s , sessions, and plugins. It s u p p o rts v u ln e ra b ility research, e x p lo it d e v e lo p m e n t, and th e c re a tio n o f cu sto m s e c u rity to o ls.
A
C u s to m p lu g -in s <
Libraries
Rex
F ra m e w o rk-C o re ^ :< In te rfa c e s F ra m e w o rk -B a s e ^ <:
P r o t o c o l T o o ls
M o d u le s
m fs c o n s o le
E x p lo its S e c u r it y T o o ls P a y lo a d s W e b S e rv ic e s
m s fc li
m s fw e b
E n co d e rs In te g ra tio n NOPS
m s fw x
m s fa p i
A u x ilia ry
FIGURE 12.22: M etasploit Architecture
Metasploit Exploit Module

This module comes with simplified meta-information fields
CEH
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
S teps to exploit a system follow th e M etasp lo it Fram ew ork
Configuring Active Exploit
Selecting a Target
&
Metasploit Exploit Module

-1 1 1 i i
The e x p lo it m o d u le is th e basic m o d u le in M e ta s p lo it used to e n ca p su la te an e x p lo it using w h ic h users ta rg e t m a ny p la tfo rm s w ith a single e x p lo it. This m o d u le com es w ith s im p lifie d m e ta - in fo r m a tio n fie ld s . U sing a M ix in s fe a tu re , users can also m o d ify e x p lo it b e h a v io r d y n a m ic a lly , p e rfo rm b ru te fo rc e attacks, and a tte m p t passive e xp lo its. F o llo w in g are th e steps to e x p lo it a system using th e M e ta s p lo it fra m e w o rk :

C o n fig u rin g A c tiv e E xplo it V e rify in g th e E xp lo it O p tio n s S electing a T a rg et S electing th e Payload Launching th e E xplo it
Metasploit Payload Module

j J J Payload module establishes a com m unication channel between the M etasploit fram ew ork and the victim host It combines the arbitrary code tha t is executed as the result o f an exploit succeeding To generate payloads, first select a payload using the command:
9S
C om m and P rom pt
w in d o w s /s h e ll_ r e v e r s e _ tc p > g e n e ra te -h
m sf > use
m s f p a y lo a d ( 3 h e ll_ r e v e r s e _ tc p ) U sage: g e n e ra te [o p tio n s ]
G e n e r a te s a p a y lo a d .
-b < o p t> -e -h < o p t>
The The
lis t n am e
o f c h a r a c te r sto of
a v o id :
, \x 0 0 \x ff' u se.
t h e e n c o d e r m o d u le t o
H e lp b a n n e r . lis t o f o p tio n s in
- o < o p t > A comma s e p a r a t e d VAR=VAL f o r m a t . -s -t < o p t> < o p t> NOP The s le d
le n g t h . p e r i, c , or raw .
o u tp u t t y p e : ru b y , tcp ) >
m sf p a y lo a d ( s h e l l r e v e r s e
Metasploit Payload Module

The M e ta s p lo it pa yload m o d u le o ffe rs sh ellcode th a t can p e rfo rm a num ber of in te re s tin g tasks fo r an a tta c k e r. A payload is a piece o f s o ftw a re th a t lets you c o n tro l a c o m p u te r system a fte r its been e x p lo ite d . The p a y lo a d is ty p ic a lly a tta c h e d to an d d e liv e re d by th e e x p lo it. An e x p lo it carrie s th e payload in its backpack w h e n it b reak in to th e system and th e n leaves th e backpack th e re . W ith th e help o f payload , you can u p lo a d and d o w n lo a d file s fro m th e system , ta ke
scree nsh ots, and c o lle c t pa ssw ord hashes. You can even ta ke o v e r th e screen, m ouse, and k e y b o a rd to fu lly c o n tro l th e c o m p u te r. To g e n e ra te payloads, fir s t se le ct a p ayload using th e c o m m a n d :
M o d u le 12
Page 1660
Com m and
P ro m p t
m sf > u s e w in d o w s /s h e ll r e v e r s e m sf p a y lo a d ( s h e ll_ r e v e r s e _ tc p ) U sag e: g e n e ra te [o p tio n s ]
tc p > g e n e ra te -h
G e n e ra te s a p a y lo a d .
O P T IO N S :
- b < o p t> - e < o p t>
The l i s t o f c h a r a c te r s T he nam eo f t h e e n c o d e r m o d u le t o
to u se.
a v o id :, \x 0 0 \ x f f '
- h H e lp b a n n e r . - o < o p t > A com m a s e p a r a t e d VAR=VAL f o r m a t . - s < o p t> -t < o p t> NOP s l e d le n g th . ru b y , tc p ) > p e ri, c, o r ra w . l i s t o f o p tio n s in
The o u tp u t ty p e :
m sf p a y lo a d ( s h e l l r e v e r s e
FIGURE 12.23: M etasploit Payload Module
Metasploit Auxiliary Module

J
CEH
M etasploit's auxiliary m odules can be used to p erform arb itra ry , oneoff actions such as port scanning, denial of service, and even fuzzing To run auxiliary m odule, eith er use th e r u n com m and, o r use th e e x p l o i t com m and
C om m and P ro m p t
msf > use dos/windows/smb/ms06_035_mailslot msf auxiliary(ms06_035_mailslot) > set RHOST 1.2.3.4 RHOST => 1.2.3.4 msf auxiliary(ms06_035_mailslot) > run [*] Mangling the kernel, two bytes at a time...
Metasploit Auxiliary Module

M e ta s p lo it's a u x ilia ry m o d u le s ca n be u se d to p e r fo r m a rb itr a ry , o n e - o ff a c tio n s su ch as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g . T o ru n a u x ilia r y m o d u le , e it h e r u se t h e ru n c o m m a n d o r use th e e x p lo it c o m m a n d .
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Metasploit NOPS Module

NOP modules generate a no-operation instructions used fo r blocking o u t buffers Use g e n e r a t e OPTIONS: - b < o p t> : The list of characters to avoid: '\x00\xff' - h : Help banner. - s < o p t> : The comma separated list of registers to save. - t < o p t> : The output type: ruby, peri, c, or raw m sf n o p (o p ty 2 )>
CEH
Crt1fW 4 itfciul Nm Im
com m and to generate a NOP sled o f an arbitrary size and display it in a given form at
Generates a NOP sled of a given length
T o g e n e r a t e a 5 0 b y t e N O P s le d t h a t is d is p la y e d a s a C - s ty le b u f f e r , r u n t h e f o l l o w i n g c o m m a n d :
&
Command Prompt m sf > u se x 8 6 /o p ty 2 m sf n o p (o p ty 2 ) > g e n e r a te -h U sage: g e n e r a te [o p tio n s ] le n g th
Command Prompt
m s f n o p (o p ty 2 ) > g e n e ra te - t c 50 u n s ig n e d c h a r b u f [ ]
" \ x f5 \ x 3 d \ x 0 5 \ x l5 \ x f 8 \ x 6 7 \x b a \ x 7 d \ x 0 8 \ x d 6 \ x 6 6 \ x 9 f \x b 8 \x 2 d \x b 6 " M\ x 2 4 \ x b e \ x b l \ x 3 f \ x 4 3 \ x l d \ x 9 3 \ x b 2 \ x 3 7 \ x 3 5 \ x 8 4 \ x d 5 \ x l4 \ x 4 0 \ x b 4 " \ x b 3 \x 4 1 \x b 9 \x 4 8 \x 0 4 \x 9 9 \x 4 6 \x a 9 \x b 0 \x b 7 \x 2 f \x fd \x 9 6 \x 4 a \x 9 8 " n\x 9 2 \x b 5 \x d 4 \x 4 f\x 9 1 " ; m s f n o p (o p ty 2 ) >
Metasploit NOPS Module

M e ta s p lo it N O P m o d u le s a re u se d to g e n e ra te used fo r p a d d in g o u t b u ffe rs . T he N O P m o d u le c o n s o le n o o p e ra tio n in te rfa c e in s tru c tio n s th a t ca n be a NOP s u p p o rts g e n e ra tin g s le d o f a n a r b i t r a r y s iz e a n d d i s p l a y i n g i t in a g i v e n f o r m a t .
o p t io n s :
-b < o p t> -h -s < o p t > -t < o p t> T h e lis t o f c h a r a c t e r s t o a v o id : ? \ x 0 0 \ x f f ? H e lp b a n n e r. T he c o m m a s e p a ra te d T he o u tp u t ty p e : ru b y, lis t o f r e g is te r s t o sa ve . p e r i, c, o r r a w .
G e n e r a te s a N O P s le d o f a g iv e n le n g th
To
g e n e ra te
5 0 -b y te
NOP
s le d
th a t
is
d is p la y e d
as
Cs ty le
b u ffe r,
run
th e
fo llo w in g
com m and:
m sf n o p (o p ty 2 )
> g e n e ra te =
-t
c 50
u n sig n e d c h a r b u f[]
"\x f5 \x 3 d \x 0 5 \x l5 \x f8 \x 6 7 \x b a \x 7 d \x 0 8 \x d 6 \x 6 6 \x 9 f \x b 8 \x 2 d \x b 6 " "\x 2 4 \x b e \x b l\x 3 f\x 4 3 \x ld \x 9 3 \x b 2 \x 3 7 \x 3 5 \x 8 4 \x d 5 \x l4 \x 4 0 \x b 4 " "\x b 3 \x 4 1 \x b 9 \x 4 8 \x 0 4 \x 9 9 \x 4 6 \x a 9 \x b 0 \x b 7 \x 2 f\x fd \x 9 6 \x 4 a \x 9 8 " "\x 9 2 \x b 5 \x d 4 \x 4 f\x 9 1 "; m sf n o p (o p ty 2 ) >
Figure 12.25: M etasploit NOPS Module
Webserver Attack Tools: Wfetch I CEH

WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and response data It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or wireless protocols
w fe ic fi - w te tc n i
F ile E d it V ie wW in d o wH elp
f l
Verb: [GET Path Y Authentcation fifth. Qoirah. Anonymous -d ComecfcOT Cornsct Qphcr Gent ceil: Popw d: *d aJt l_ C 0 J !race P Rx | host [localHost
A d v a n c e dR e q u est: fD u a b le d I - fro m file

J J J J
|60
Pc5y
P Reu
Log Output [Last Status: 500 Internal Server Error; > started.... O Puny: WWWConnecfcCtose(",* closed source port: 7 i9 8 \r\n k'VWWConnectiConnectl 'locaihost '8 0')\n
Q lPa"|;;1].80"\n
h ttp : //w w w .m ic r o s o ft.c o m

Web Server Attack Tools: Wfetch

Source: h ttp ://w w w .m ic r o s o ft.c o m W fe tc h is a g ra p h ic a l u s e r-in te rfa c e a im e d a t h e lp in g c u s to m e rs resolve p ro b le m s re la te d to th e b ro w s e r in te ra c tio n w ith M ic ro s o ft's IIS w e b server. It a llo w s a c lie n t to re p ro d u c e a p ro b le m w ith a lig h tw e ig h t, v e ry H T T P -frie n d ly te s t e n v iro n m e n t. It a llo w s fo r ve ry g ra n u la r te s tin g d o w n to th e a u th e n tic a tio n , a u th o riz a tio n , cu sto m headers, and m uch m ore.
w fetch W fetchl
1 le d!t yiew Window Help
i)
&
Wfetchl
A d v a n c e d R equest
SS
Disabled ) {^r fom H e
G o' |
yet> |G E T P ath: | / . \ jt h e r t c a t 10n A uth l/V io n ym o o s
Host |k>cax>st
j . j E o r t |d rfa j - J V c r |1 1 2 \
C o n n e ctio n C onnect C ipher C k e n tc e rt r P ro jy h ttp d e fa u l none tg p ro x y ^80 ^ J 2 I - ] _>J Tran s o -------R? Raw
C om an | U se r |
r S ocke t
P R euse
P a js w d |
L o g O u t p u t [L a s t S ta tu s : S00 In te r n a l S e rv e r E rro r] started....
O Proxy; WWWConnect::Close( ,"80")\n closed source port 7398\r\n 4 ) WWWConnect::ConnectClo<alhost".8<r)\n 0 >= ]::1[:80 \n
Ready
NUM
Figure 12.26: W fetch Screenshot
Web Password Cracking Tool: Brutus

S o u rce : h ttp ://w w w .h o o b ie .n e t B r u t u s is a r e m o t e p a s s w o r d c r a c k e r ' s t o o l . I t is a v a i l a b l e f o r W i n d o w s 9 x , N T . a n d 2 0 0 0 , t h e r e is n o U N I X v e r s i o n a v a i l a b l e , a l t h o u g h i t is a p o s s i b i l i t y a t s o m e p o i n t i n t h e f u t u r e . B r u t u s w a s w r it t e n o rig in a lly t o h e lp c h e c k r o u te r s f o r d e fa u lt a n d c o m m o n p a s s w o rd s . F e a tu re s e e e e 0 0 H T T P (B a s ic A u t h e n t i c a t i o n ) HTTP (H T M L F o rm /C G I) POP3 FTP SMB T e ln e t M u lti- s ta g e a u t h e n tic a tio n e n g in e N o u s e r n a m e , s in g le u s e r n a m e , a n d m u lt ip le u s e r n a m e m o d e s P a s s w o r d lis t, c o m b o ( u s e r / p a s s w o r d ) lis t a n d c o n f i g u r a b l e b r u t e f o r c e m o d e s
H ighly c u s to m iz a b le a u th e n tic a tio n sequences Load and re sum e p o s itio n Im p o rt and E xpo rt c u s to m a u th e n tic a tio n ty p e s as BAD file s seam lessly SOCKS p ro x y s u p p o rt fo r all a u th e n tic a tio n typ e s User and passw ord list g e n e ra tio n and m a n ip u la tio n fu n c tio n a lity HTM L Form in te rp re ta tio n fo r HTM L Form /C G I a u th e n tic a tio n typ e s E rror h a n d lin g and re c o v e ry c a p a b ility inc. resum e a fte r c ra s h /fa ilu re
Brutus - AET2 www.hoobie.net/brutus - (January 2000)
Eile Iools Help
Target [10001 ^ Connection Options Port [80 Connections *0
(
I 1 .
Type |HTTP (Basic Auth) j*J
Start
Clear
Trneout
r j
10
U**Ptoxy
Drinc |
HTTP (Basic) Options Method |HEAD Authentication Options

W
]]
&
Ke^pAWe
Use Username
I- Single Usei Browse |
Pass Mode |W d List pjg [words bd Browse |
User Fte ]users txt Positive Authentication Resiits Target 100017/ 100017/
HTTP (Basic Auth) HTTP (Basic Auth)
Username adrran backup
Password academic
Located and installed 1 authentication ptug-ns Initiafcng Target 10.0.0.17 verified Opened user file contarmg 6 users Opened password file containing 818 Passwords Maximum number of authentication attempts w i be 4906 Engagng target 10.0.0.17 with HTTP (Basic Auth) Tm w s< 11 w iw Throttle
Figure 12.27: Brutus Screenshot
Web Password Cracking Tool: THC-Hydra

A very fast network logon cracker that support many different services
CEH
Urt1fw4 ilhiul lUtbM
Target Passwords Tuning Specific Start Target
SingleTarget
Q Target List
xH ydra B ' Target Passwords Tuning Specific Start Output H ydrav7.1 (c)2011 by vanHauser/THC& D avid Maciejak- for legal purposes J
H ydra (http://www.thc.org/thc hydra) startingat 2012-10-2117:01:09 [D E B U G ] cmdline:/usr/bin/hydra-S -v-V-d-I Administrator-P/home/ V D es [D A TA ] 4 tasks, 1server, 4 login tries (l:1/p:4), ~ 1 try per task [D A TA ) attackingservice rdp on port 3389 [V E R B O S E ]R esolvingaddresses... [D E B U G ] resolving 192.168.168.1 done [D E B U G ]C ode: attack Tim e: 13S 0819069 [D E B U G ]O ptions: mode 1 ssl 1 restore 0 showAttempt 1 tasks 4 maxjjse* [D E B U G ]D rains: active 0 targets 1 finished 0 todo_all4 todo4 seotO founc [D E B U G ] TargetO-target 192.168.168.1 ip 192 168.168.1 login_nowpass_nc [debug] T ask 0*pld 0 active 0 redo 0 current_logln_ptr (null) current.pass. [D E B U G ] Task 1 pidO active 0 rcdoO currcnt_login_ptr (null) currentj>ass_ [D E B U G J Task 2pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ [debug] T ask 3pld 0 active 0 redo 0 current_logln_ptr (null) current_pass_ [W AR N IN G ] rdp servers often don't like m any connections, use-t 1or -t 4to r [V E R B O S E ^ More tasks defined than login/pass pairs exist. Tasksreduced to [D E B U G ] head_no[0] active 0 [D E B U G J child 0got target 0selected [D E B U G ] headnofi] active 0 Start Stop !SaveOutput C lear Output hydra -S v-V d -I Administrator -P/home/ Desktop/pass 116192.16...
C Prefer IPV6
Port Protocol Output Options rdp
& UseS S L
[B eVerbose
0 ShowAttempts
D ebug
hydra-S-v-V d-IAdministrator-P/home/ /Desktop/pass 116192.16..
h ttp : //w w w .th c .o r g
* Web Password Cracking Tool: THC-Hydra

Source: h ttp ://w w w .th c .o r g
TH C-Hydra is used to check fo r w e a k passw ords. This to o l is a b ru te fo rc e to o l th a t is used by a tta c k e rs as w e ll as a d m in is tra to rs . Hydra can a u to m a tic a lly crack e m a il p a s sw o rd s an d gain access to ro u te rs , W in d o w s system s, and te ln e t o r SSH p ro te c te d servers. It is a v e ry fa st n e tw o rk log o n c ra cke r th a t s u p p o rts m any d iffe re n t services.
O O T arget Target
xH ydra P assw o rd s Tuning Specific S ta rt
192.168.168.1
O T arget List P refer IPV6 P o rt
P ro to co l O utput O ptions Use SSL
rdp
hydra -S -v -V -d -I A d m in istrato r -P /h o m e /
/D e sk to p /p a ss -t 16192.16.
o e < ;
Target
!> xHydra Passw ords Tuning Specific S ta rt
O utput Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak for legal p u rp o ses
Hydra (http://w w w .thc.org/thc-hydra) startin g a t 2012-10-21 17:01:09 [DEBUG] cm dline:/usr/bin/hydra -S-v-V -d -I A d m in istra to r-P /h o m e / 7Des [DATA] 4 task s, 1 server, 4 login tries (l:1/p:4), ~1 try p er task [DATA] attacking service rdp on p o rt 3389 [VERBOSE] Resolving a d d r e s s e s ... [DEBUG] resolving 192.168.168.1 done [DEBUG] Code: a tta c k Time: 1350819069 [DEBUG] O ptions: m o d e 1 ssl 1 re s to re 0 sh ow A ttem pt 1 task s 4 m ax_use < [DEBUG] Brains: active 0 ta rg e ts 1 finished 0 to d o _ all4 to d o 4 sentO founc [DEBUG] Target 0 - ta rg e t 192.168.168.1 ip 192.168.168.1 lo g in n o & p a s s n c [DEBUG] Task 0 -p id 0 active 0 redoO current_login_ptr (null) current_pass_ [DEBUG]Task 1 -p id 0 a c tiv e 0 redoO current_login_ptr(null) current_pass [DEBUG]Task2 -pidO a c tiv e 0 redoO current_login_ptr(null) current_pass_ [DEBUG]Task3 -p id 0 a c tiv e 0 redoO current_login_ptr(null) current_pass [WARNING] rdp servers o ften d o n 't like many connections, use -t 1 o r -t 4 to r [VERBOSE] M ore task s defined than login/pass pairs exist. Tasks reduced to [DEBUG] head_no[0] active 0 [DEBUG] child 0 go t ta rg e t 0 selected [DEBUG] head_no[1] active 0
hydra-S-v-V -d-I A d m in istra to r-P /h o m e/
D e sk to p /p a ss-t 16 192.16...
F ig u re 1 2 .2 8 : T H C -H y d ra S c r e e n s h o t
Web Password Cracking Tool: Internet Password Recovery Toolbox
EH
Internet Password Recovery Toolbox recovers p assw o rd s for Internet brow sers, email clients, instant m essengers, FTP clients, netw ork and dial-up accounts
http;//www.rixlercom
Copyright by E G -G *ancil. All R ights R eserved. Reproduction is Strictly Prohibited.
Web Password Cracking Tool: Internet Password Recovery Toolbox

Source: h ttp ://w w w .r ix le r .c o m In te rn e t Passw ord R ecovery T o o lb o x is a co m p re h e n s iv e s o lu tio n fo r re c o v e rin g passw ords fo r In te rn e t b ro w s e rs , e m a il clie n ts, n s ta n t m essengers, and FTP slients, It can co ve r n e tw o rk and d ia l-u p a c c o u n ts an d can be used in th e w h o le area o f In te rn e t c o m m u n ic a tio n lin k s . This p ro g ra m o ffe rs in s ta n ta n e o u s p assw ord re c o v e ry c a p a b ilitie s fo r a lm o s t e ve ry In te rn e t a p p lic a tio n you e x p e c t it to p ro v id e : you nam e it, th e p ro g ra m has it.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Module 12 Page 1672
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
CE H
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
o d u l e
F l o w
So f a r , w e h a v e d i s c u s s e d w e b s e r v e r c o n c e p t s , t e c h n i q u e s u s e d b y a t t a c k e r s , a t t a c k m e t h o d o l o g y , a n d t o o l s t h a t h e l p in w e b s e r v e r . A ll t h e s e c o n c e p t s h e l p in b r e a k i n g i n t o t h e w e b s e r v e r o r c o m p r o m i s i n g w e b s e r v e r s e c u r i t y . N o w i t ' s t i m e t o d is c u s s t h e c o u n t e r m e a s u r e s t h a t h e l p in e n h a n c i n g t h e s e c u r i t y o f w e b s e r v e r s . C o u n t e r m e a s u r e s a r e t h e p r a c t i c e o f u s i n g m u ltip le s e c u rity s y s te m s or te c h n o lo g ie s to p re ve n t in tru s io n s . These a re th e key
c o m p o n e n ts fo r p ro te c tin g a n d s a fe g u a rd in g th e w e b s e rv e r a g a in s t w e b s e rv e r in tru s io n s .
W e b s e rv e r C o n c e p ts
W e b s e rv e r A tta c k T o o ls
W e b s e rv e r Pen T e s tin g
^ __ ^
Module 12 Page 1673
T h is s e c t i o n h i g h l i g h t s w e b s e r v e r c o u n t e r m e a s u r e s t h a t p r o t e c t w e b s e r v e r s a g a i n s t v a r i o u s a tta c k s .
Module 12 Page 1674
Countermeasures: Patches and Updates

Scan fo r existing vulnerabilities, patch, and update the server softw a re regularly
CEH
Urt1fw4 ilhiul lUtbM
Before applying any service pack, hotfix, or security patch, read and peer review all relevant documentation
Apply all updates, regardless o f th e ir type on an "as-needed" basis
Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production
Ensure tha t service packs, hotfixes, and security patch levels are consistent on all Dom ain C ontrollers (DCs)
Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available
Have a back-out plan th a t allows the system and enterprise to return to th e ir original state, p rio r to th e failed im ple m en tation
Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than tw o service packs behind
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
o u n t e r m
e a s u r e s :
P a t c h e s
a n d
U p d a t e s
T h e f o llo w in g a re a f e w c o u n te r m e a s u r e s t h a t can be a d o p t e d t o p r o t e c t w e b s e rv e rs a g a in s t v a rio u s h a c k in g te c h n iq u e s : Scan f o r e x is tin g v u ln e r a b ilit ie s a n d p a tc h a n d u p d a te t h e s e r v e r s o f t w a r e re g u la rly . A p p l y all u p d a t e s , r e g a r d l e s s o f t h e i r t y p e , o n a n " a s - n e e d e d " ba s is . E nsure t h a t s e rv ic e packs, h o tfix e s , and s e c u rity p a tc h le v e ls a re c o n s is te n t o n all
D o m a i n C o n t r o l l e r s (DCs). E n s u r e t h a t s e r v e r o u t a g e s a r e s c h e d u l e d a n d a o f b a c k u p t a p e s a n d e m e r g e n c y r e p a i r d is k s a r e a v a i l a b l e . H ave a b a c k - o u t p la n t h a t a llo w s th e s y s te m a n d e n te r p r is e t o r e t u r n t o s ta te , p r io r t o th e fa ile d im p le m e n ta tio n .
c o m p le te set
t h e ir o rig in a l
B e f o r e a p p l y i n g a n y s e r v i c e p a c k , h o t f i x , o r s e c u r i t y p a t c h , r e a d a n d p e e r r e v i e w all re le v a n t d o c u m e n ta tio n .
T e s t th e s e rv ic e packs a n d h o tfix e s o n a r e p r e s e n ta tiv e n o n - p r o d u c t io n e n v ir o n m e n t p r io r to b e in g d e p lo y e d to p r o d u c tio n .
E nsure t h a t s e rv e r o u ta g e s a re s c h e d u le d a n d a c o m p le te e m e r g e n c y r e p a i r d is k s a r e a v a i l a b l e .
s e t o f b a c k u p ta p e s and
S c h e d u l e p e r i o d i c s e r v i c e p a c k u p g r a d e s as p a r t o f o p e r a t i o n s m a i n t e n a n c e a n d n e v e r t r y t o h a v e m o r e th a n t w o s e rv ic e packs b e h in d .
Module 12 Page 1675
C o u n te rm e a s u re s : P ro to co ls
C EH
(itifwd 1 ItlMUl IlMhM
Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB
Harden th e TCP/IP stack and consistently apply th e latest softw a re patches and updates to system softw a re
If using insecure protocols such as Telnet, POP3, SMTP, FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies
S If remote access is needed, make sure tha t the remote connection is secured properly, by using tunneling and encryption protocols
S Disable WebDAV if not used by the application or keep secure if it is required
o u n t e r m
e a s u r e s :
P r o t o c o l s
The
fo llo w in g
a re
th e
som e
m easures
th a t
s h o u ld
be
a p p lie d
to
th e
re s p e c tiv e
p r o t o c o l s in o r d e r t o p r o t e c t w e b s e r v e r s f r o m h a c k i n g : B lo c k all u n n e ce ssa ry p o rts, In te rn e t C o n tro l Message P ro to c o l (IC M P ) tr a ffic , and
u n n e c e s s a r y p r o t o c o l s s u c h as N e t B I O S a n d S M B . Q H a r d e n t h e T C P /I P s t a c k a n d c o n s i s t e n t l y a p p l y t h e l a t e s t s o f t w a r e p a t c h e s a n d u p d a t e s t o th e s y s te m s o ftw a re . 0 If u s i n g in s e c u re p ro to c o ls such as T e l n e t , POP3, S M T P , or FTP, t a k e a p p ro p ria te
m e a s u r e s t o p r o v id e s e c u re a u th e n t ic a t io n a n d c o m m u n ic a t io n , f o r e x a m p le , b y u sin g IPSec p o l ic i e s . If r e m o t e a c c e s s is n e e d e d , m a k e s u r e t h a t t h e r e m o t e c o n n e c t i o n is s e c u r e d p r o p e r l y , b y u s in g t u n n e lin g a n d e n c r y p t io n p r o to c o ls . Q D is a b l e W e b D A V i f n o t u s e d b y t h e a p p l i c a t i o n o r k e e p s e c u r e i f i t is r e q u i r e d .
Module 12 Page 1676
C o u n te rm e a s u re s : A cco u n ts
Remove all unused modules and application extensions
CEH
Disable unused default user accounts created during installation of an operating system
When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content Eliminate unnecessary database users and stored procedures and follow the principle of least privilege for the database application to defend against SQL query poisoning Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization Slow down brute force and dictionary attacks w ith strong password policies, and then audit and alert for logon failures Run processes using least privileged accounts as well as least privileged service and user accounts
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
! 1 1
o u n t e r m
e a s u r e s :
A c c o u n t s
111------------------J i l
T h e f o l l o w i n g is t h e lis t o f a c c o u n t c o u n t e r m e a s u r e s f o r h a c k i n g w e b s e r v e r s :
R e m o v e all u n u s e d m o d u l e s a n d a p p l i c a t i o n e x t e n s i o n s . D is a b l e u n u s e d d e f a u l t u s e r a c c o u n t s c r e a t e d d u r i n g i n s t a l l a t i o n o f a n o p e r a t i n g s y s t e m . W h e n c r e a t i n g a n e w w e b r o o t d i r e c t o r y , g r a n t t h e a p p r o p r i a t e ( l e a s t p o s s i b l e ) NTFS p e r m i s s i o n s t o t h e a n o n y m o u s u s e r b e i n g u s e d f r o m t h e IIS w e b s e r v e r t o a c c e s s t h e w e b c o n te n t.
E lim in a te u n n e c e s s a ry d a ta b a s e u sers a n d s to r e d p r o c e d u r e s a n d f o l l o w t h e p r in c ip le o f l e a s t p r i v i l e g e f o r t h e d a t a b a s e a p p l i c a t i o n t o d e f e n d a g a i n s t SQL q u e r y p o i s o n i n g .
U se s e c u r e w e b
p e r m i s s i o n s , NTFS p e r m i s s i o n s , a n d .N E T F r a m e w o r k a c c e s s c o n t r o l
m e c h a n i s m s i n c l u d i n g URL a u t h o r i z a t i o n . S l o w d o w n b r u t e f o r c e a n d d i c t i o n a r y a t t a c k s w i t h s t r o n g p a s s w o r d p o l ic i e s , a n d t h e n a u d it a n d a le r t f o r lo g o n fa ilu re s . Q R u n p r o c e s s e s u s i n g l e a s t p r i v i l e g e d a c c o u n t s as w e l l as l e a s t p r i v i l e g e d s e r v i c e a n d u s e r a c c o u n ts .
Module 12 Page 1677
Countermeasures: Files and Directories

Eliminate unnecessary files w ith in the .jar files Disable serving o f d ire cto ry listings
c EH
tertMM tt*H4i Nath*
Eliminate the presence o f non w eb Eliminate sensitive c on figura tion info rm atio n w ith in the byte code files such as archive files, backup files, te xt files, and header/include files
Avoid mapping v irtu a l dire ctorie s betw een tw o d iffe re n t servers, o r over a netw ork
Disable serving certain file types by creating a resource m apping
M onitor and check all network services logs, website access logs, database server logs (e.g., Microsoft SQL Server, MySQL, Oracle) and OS logs frequently
Ensure the presence of web application or website files and scripts on a separate partition or drive other than that of the operating system, logs, and any other system files
Copyright by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
o u n t e r m
e a s u r e s :
F i l e s
a n d
i r e c t o r i e s
T h e f o l l o w i n g is t h e lis t o f a c t i o n s t h a t s h o u l d b e t a k e n a g a i n s t f i l e s a n d d i r e c t o r i e s in
o r d e r t o p r o t e c t w e b s e rv e rs f r o m h a c k in g : Q E lim in a te u n n e c e s s a r y file s w i t h i n . j a r file s . E lim in a te s e n s itiv e c o n fig u r a t io n i n f o r m a t i o n w it h in th e b y te c o d e . A v o id m a p p in g v ir tu a l d ir e c to r ie s b e tw e e n t w o d if f e r e n t s e rv e rs o r o v e r a n e tw o r k . M o n i t o r a n d c h e c k all n e t w o r k s e r v i c e s lo g s , w e b s i t e a c c e s s lo g s , d a t a b a s e s e r v e r lo g s (e .g ., M i c r o s o f t SQL S e r v e r , M y S Q L , O r a c le ) , a n d OS lo g s f r e q u e n t l y . D is a b l e s e r v i n g o f d i r e c t o r y lis t in g s . E l i m i n a t e t h e p r e s e n c e o f n o n - w e b f i l e s s u c h as a r c h i v e file s , b a c k u p fil e s , t e x t f i l e s , a n d h e a d e r / in c l u d e file s . D is a b l e s e r v i n g c e r t a i n f i l e t y p e s b y c r e a t i n g a r e s o u r c e m a p p i n g E nsure th e p re se n ce o f w e b a p p lic a tio n o r w e b s ite file s a n d s c rip ts o n a s e p a ra te
p a r t i t i o n o r d r i v e o t h e r t h a n t h a t o f t h e o p e r a t i n g s y s t e m , lo g s , a n d a n y o t h e r s y s t e m file s
Module 12 Page 1678
How to Defend Against Web Server Attacks

_ Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL) Encrypt or restrict intranet traffic
CEH
Audit the ports on server regularly to ensure that an insecure or unnecessary service is not active on your web server
Ensure that certificate data ranges are valid and that certificates are used for their intended purpose
S Ensure that the certificate has not been revoked and certificated public key is valid all the way to a trusted root authority
S Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed S Ensure that tracing is disabled ctrace enable=false"/> and debug compiles are turned off s Implement secure coding practices to avoid source code disclosure and input validation attack Restrict code access security policy settings to ensure that code downloaded from the Internet or Intranet have no permissions to execute Configure IIS to reject URLs with to prevent path traversal, lock down system commands and utilities with restrictive access control lists (ACLs), and install new patches and updates
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
T h e fo llo w in g a re th e v a rio u s w a y s t o d e fe n d a g a in s t w e b s e rv e r a tta c k s :
rr m n
P o r ts
m i

A u d it
th e
p o rts
on
th e
se rve r
re g u la rly
to
ensu re
th a t
an
in s e c u re
or
u n n e c e s s a r y s e r v i c e is n o t a c t i v e o n y o u r w e b s e r v e r . L i m i t i n b o u n d t r a f f i c t o p o r t 8 0 f o r H TTP a n d p o r t 4 4 3 f o r HTTPS (SSL). E n c ry p t o r re s tric t in tr a n e t tra ffic .
5L
S e r v e r
C e r tific a t e s
E nsure t h a t c e rtific a te d a ta in te n d e d p u rp o se .
ra n g e s a re v a lid a n d t h a t c e r t if ic a t e s a re use d f o r t h e i r
E n s u r e t h a t t h e c e r t i f i c a t e h a s n o t b e e n r e v o k e d a n d c e r t i f i c a t e ' s p u b l i c k e y is v a l i d all th e w a y to a tr u s te d r o o t a u th o r ity .
Module 12 Page 1679
a c h in e .c o n f ig
Ensure th a t p ro te c te d resources are m a p p e d to H ttp F o r b id d e n H a n d le r and unused H ttp M o d u le s are re m o ve d .
Ensure t h a t tra c in g is disabled c tra c e e n a b le = " fa ls e " /> and d e bug com p ile s are tu rn e d off.
C o d e
A c c e s s
S e c u r ity
I m p le m e n t secure coding practices to avoid source code disclosure and in p u t v a lid a tio n attack.
R estrict co d e access s e c u rity p o lic y settings t o ensure t h a t code d o w n lo a d e d f r o m th e In te r n e t o r in tr a n e t has no perm issions to execute.
C onfigure IIS t o re je c t URLs w it h patches and updates.
t o p r e v e n t path travers al, lock d o w n system
c o m m a n d s and u tilitie s w it h re stric tive access c o n tro l lists (ACLs), and install n e w
Module 12 Page 1680
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
How to Defend Against Web Server Attacks (C o n td )

II S L o c k d o w n
CEH
Use th e IIS Lockdow n to o l, w h ic h re du ce s th e v u ln e ra b ility o f a W in d o w s 2 000 W e b s e rv e r. It a llo w s yo u to p ick a sp e c ific ty p e o f s e rv e r ro le , a nd th e n use c u s to m te m p la te s to im p ro v e s e c u rity fo r th a t p a rtic u la r se rv e r
IIS Lockdow n in stalls th e URLScan ISAPI filte r a llo w in g w e b s ite a d m in is tra to rs to re s tric t th e kind o f HTTP re q u e s ts th a t th e s e rv e r can p rocess, based o n a s e t o f ru le s th e a d m in is tra to r c o n tro ls , p re v e n tin g p o te n tia lly h a r m fu l re q u e s ts fro m re a c h in g th e s e rv e r a nd causing d am age
D isable th e se rvice s ru n n in g w ith le a s t-p riv ile g e d a cc o u n ts D isable FTP, SMTP, and NNTP se rvice s if n o t re q u ire d D isable th e T e ln e t se rvice
&
S w itch o f f all u nn e ce ssary se rvice s a nd d isa b le th e m , so th a t n e x t tim e w h e n th e s e rv e r is re b o o te d , th e y are n o t s ta rte d a u to m a tic a lly . This also gives an e xtra b o o s t to y o u r s e rv e r p e rfo rm a n c e s , by fre e in g so m e h a rd w a re resources
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
( C
o n t d )
'
I I S L o c k d o w n
IISLockdown restricts a n o n y m o u s access t o system u tilities, as w ell as having th e a b ility t o w r i t e t o w e b c o n te n t dire cto rie s. To do this, IISLockdown creates t w o n e w local g roups called w e b a n o n y m o u s users and w e b applicatio ns, and th e n it adds de n y access c o n tr o l e n tr ie s (ACEs) f o r th e s e g ro u p s t o th e access c o n tr o l list (ACL) on key u tilitie s and direc tories. Next, IISLockdown adds th e d e fa u lt a n o n y m o u s In te r n e t user a ccount (IUSR_MACHINE) t o W e b A n o n y m o u s Users and th e IW A M _M A C H IN E a c c o u n t to W e b A p p lic a tio n s. It disables W e b installs th e URLScan ISAPI f ilte r . D is trib u te d A u th o rin g and V ersio n in g (W ebD av) and
Use th e IISLockdown to o l, w h ic h reduces th e v u ln e r a b ility o f a W in d o w s 2000 w e b server. It allow s you t o pick a specific ty p e o f server role, and th e n use c u s to m te m p la te s t o im p ro v e se c u rity fo r t h a t p a rtic u la r server.
IISLockdown installs th e URLScan ISAPI filte r, a llo w in g w e b s ite a d m in is tr a to r s to re s tric t th e kind o f HTTP requests t h a t th e server can process, based on a set o f rules th e a d m in is t r a to r co n tro ls, p r e v e n tin g p o te n tia lly h a rm fu l requests f r o m reaching th e server and causing dam age.
Module 12 Page 1681
S e r v ic e s
Q Q 0
Disable th e services ru n n in g w it h least-privileged accounts. Disable FTP, SMTP, an d NNTP services if n o t req u ire d . Disable T e ln e t service. Switch o f f all unnecessary services and disable th e m , so th a t th e n ext tim e th e server is re b o o te d , th e y are n o t s ta rte d a u to m a tic a lly . This also gives an extra boo s t t o y o u r server p e rfo rm a n c e , by fr e e in g som e h a rd w a re resources.
Module 12 Page 1682
How to Defend Against Web Server Attacks (co n td )

Registry
Apply re stricte d ACLs and block rem ote registry adm inistration Secure th e SAM (Stand-alone Servers Only)
EH
Auditing and Logging

Enable a m in im u m level o f a u d itin g on your w eb server and use NTFS perm issions to protect th e log files
Shares
R e m o v e a ll u n n e c e s s a ry file sh ares in c lu d in g th e d e f a u lt a d m in is tr a tio n s h a re s if th e y a re n o t re q u ire d S ecu re t h e sh a re s w it h re s tric te d NTFS p e rm is s io n s
Script Mappings
Remove all unnecessary IIS s cript m appings fo r optional file extensions to avoid exploiting any bugs in th e ISAPI extensions th a t handle these types o f files
IIS Metabase
E nsu re t h a t s e c u rity re la te d s e ttin g s a re c o n fig u r e d a p p r o p r ia te ly a n d access t o th e m e ta b a s e file is re s tric te d w it h h a rd e n e d NTFS p e rm is s io n s R e s tric t b a n n e r in f o r m a t io n re tu r n e d b y IIS
Sites and Virtual Directories

Relocate sites and virtu al directories to non-system p a rtitio n s and use IIS Web perm issions to restrict access
ISAPI Filters
R e m o v e u n n e c e s s a ry ISAPI filte rs fro m th e W e bserver
Copyright by EG-Gtlincil. All Rights Reserved. Reproduction is Strictly Prohibited.
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
( C
o n t d )
R e g is try
A p p ly re s tr ic te d ACLs and block r e m o te registry a d m in is tra tio n . Secure th e SAM (Stand-alone Servers Only).
S h a re
Remove all unnecessary file shares inc luding th e d e fa u lt a d m in is tr a tio n shares if th e y are n o t req u ire d .
Secure th e shares w it h re s tric te d NTFS perm issions.
IIS M e t a b a s e
Ensure t h a t s e c u rity -re la te d settings are c o n fig u re d a p p ro p r ia te ly and access to th e m etabas e file is re s tric te d w it h h a rd e n e d NTFS perm issions.
Restrict b a n n e r in fo r m a tio n re tu r n e d by IIS.
A u d it in g a n d L o g g in g
Enable a m in im u m level o f a u d itin g on y o u r w e b server and use NTFS p e rm is s io n s to p r o te c t th e log files.
Module 12 Page 1683
S c rip t M a p p in g s
Rem ove all unnecessary IIS script m appings fo r o p tio n a l file extensions t o avoid e x p lo itin g any bugs in th e ISAPI e x tension s t h a t handle these ty pes o f file.
S ite s a n d V ir t u a l D ir e c t o r ie s
Relocate sites and v irtu a l d ire c to rie s t o n o n -sy ste m p a r titio n s and use IIS W e b perm issions t o re s tric t access.
IS A P I F ilte r s
Rem ove unnecessary ISAPI filte rs fr o m th e w e b server.
Module 12 Page 1684
How to Defend Against Web Server Attacks (C o n td )
CEH
D o use a d e d ic a te d m a c h in e as a w e b s e rv e r C re a te URL m a p p in g s t o in te r n a l se rve rs c a u tio u s ly
th e W ebserver m a c h in e '
Do not connect an IIS Server to the Internet in a se cure m a ch in e ro o m 1 until it is fully hardened
Do p h ysica lly p ro te c t 1
U se s e rv e r s id e s e ssio n ID tra c k in g a n d m a tc h c o n n e c tio n s w it h tim e s ta m p s , IP a d d re sse s, e tc .
D o n o t a llo w a n y o n e t o lo c a lly lo g o n t o th e m a c h in e e x c e p t f o r th e a d m in is tr a to r
I f a d a ta b a s e se rve r, such / as M ic r o s o f t SQL S e rv e r, is t o b e u se d as a b a cke n d d a ta b a s e , in s ta ll it o n a s e p a ra te s e rv e r
Use security tools provided w ith web server software and scanners that automate and make the process of securing a web server easy
D o c o n fig u re a s e p a ra te a no nym ou s user a ccou nt f o r e a ch a p p lic a tio n , if yo u h o s t m u ltip le w e b a p p lic a tio n s
Limit the server functionality in order to support the web I technologies that are L going to be used
H 1111
o w
t o
e f e n d
A g a i n s t
e b
S e r v e r
A t t a c k s
( C
o n t d )
The f o llo w in g is a list o f actions t h a t can be ta k e n t o d e fe n d w e b servers f r o m various
kinds o f attacks: Create URL m a p p in g s t o in te rn a l servers cautiously. If a database server such as M ic r o s o ft SQL Server is t o be used as a backend database, install it on a separate server. Do use a d e d ic a te d m achine as a w e b server. D o n 't install th e IIS server on a d o m a in c o n tro lle r. Use server-side session ID tra c k in g and m a tc h c o n n e c tio n w i t h tim e stam ps, IP address, etc. Use se cu rity to o ls p ro v id e d w it h th e w e b s e rv e r an d scanners t h a t a u to m a te and make th e process o f securing a w e b server easy.
Screen and f i l t e r th e in c o m in g tr a ffic request. Do physically p r o te c t th e w e b server m ach in e in a secure m ac h in e ro o m . Do c o n fig u re a separate a n o n y m o u s user a c c o u n t f o r each a p p lica tio n , if you host m u ltip le w e b applicatio ns.
Module 12 Page 1685
D o n o t c o n n e c t a n IIS S e r v e r t o t h e I n t e r n e t u n t i l i t is f u l l y h a r d e n e d . D o n o t a llo w a n y o n e t o lo c a lly lo g o n t o t h e m a c h in e e x c e p t f o r t h e a d m in is t r a t o r . L i m i t t h e s e r v e r f u n c t i o n a l i t y in o r d e r t o s u p p o r t t h e w e b t e c h n o l o g i e s t h a t a r e g o i n g t o be used.
Module 12 Page 1686
H o w
to
D e f e n d a n d W
a g a in s t e b
H T T P
R e s p o n s e
S p lit t in g
C a c h e
P o is o n in g
EH
S e rv e r A d m in Use latest web server software Regularly update/patch OS and Webserver Run web Vulnerability Scanner
A p p lic a t io n D e v e lo p e rs 9 Restrict web application access to unique Ips Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters Comply to RFC 2616 specifications for HTTP/1.1
P ro x y S e rv e rs Avoid sharing incoming TCP connections among different clients a Use different TCP connections with the proxy for different virtual hosts
8 Implement "maintain request host header" correctly
H W
o w e b
t o
e f e n d
a g a i n s t
H T T P
R e s p o n s e
S p l i t t i n g
a n d
C a c h e
P o i s o n i n g
T h e f o l l o w i n g a r e t h e m e a s u r e s t h a t s h o u l d b e t a k e n in o r d e r t o d e f e n d a g a i n s t H T T P r e s p o n s e s p littin g a n d w e b c a c h e p o is o n in g : e S e rv e r A d m in U se la te s t w e b s e rv e r s o ftw a r e R e g u la rly u p d a t e / p a t c h OS a n d w e b s e rv e r Run w e b v u ln e ra b ility s c a n n e r
A p p lic a tio n D e v e lo p e rs R e s t r i c t w e b a p p l i c a t i o n a c c e s s t o u n i q u e IP S D is a llo w c a rr ia g e r e t u r n (% 0 d o r \ r ) a n d lin e fe e d (% 0 a o r \ n ) c h a r a c te r s C o m p l y t o RFC 2 6 1 6 s p e c i f i c a t i o n s f o r H T T P / 1 . 1
P ro x y S e rve rs A v o id s h a rin g in c o m in g TCP c o n n e c tio n s a m o n g d if f e r e n t c lie n ts U se d iffe r e n t TCP c o n n e c tio n s w ith th e p ro x y fo r d iffe r e n t v irtu a l h o s ts Im p le m e n t " m a in ta in re q u e s t h o s t h e a d e r" c o rre c tly
Module 12 Page 1687
M o d u le F lo w
CEH
o d u l e
F l o w
D e v e l o p e r s a l w a y s t r y t o f i n d t h e b u g s in t h e w e b s e r v e r a n d t r y t o f i x t h e m . T h e b u g fix e s a re re le a s e d in th e fo rm of p a tc h e s . These p a tc h e s p ro v id e p ro te c tio n a g a in s t know n
v u l n e r a b i l i t i e s . P a t c h m a n a g e m e n t is a p r o c e s s u s e d t o e n s u r e t h a t t h e a p p r o p r i a t e p a t c h e s a r e in s ta lle d o n a s y s te m a n d h e lp fix k n o w n v u ln e r a b ilitie s .
We b s e r v e r C o n c e p t s
A tta c k M e th o d o lo g y \
W e b s e r v e r P en T e s tin g
T h is s e c tio n
d e s c rib e s p a tc h
m a n a g e m e n t c o n c e p ts u s e d t o fix v u ln e r a b ilitie s a n d a tta c k s .
b u g s in t h e
w e b s e r v e r s in o r d e r t o p r o t e c t t h e m f r o m
Module 12 Page 1688
P a tc h e s a n d H o tfix e s
A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the usability or performance of a computer program or its supporting data A patch can be considered as a repair job to a programming problem
C EH
Urtiffetf itkNjI lUilwt
Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer organization
Users may be notified through emails or through the vendor's website
Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack
P a t c h e s
a n d
H o t f i x e s used to m a k e c h a n g e s in t h e s o f t w a r e in s ta lle d o n a c o m p u te r .
A p a t c h is a p r o g r a m
P a tc h e s a re u s e d t o fix b u g s , t o a d d re s s t h e s e c u rity p r o b le m s , t o a d d fu n c t io n a lit y , e tc . A p a tc h is a s m a l l p i e c e im p ro v e th e o f s o ftw a re d e s ig n e d to fix p r o b le m s , s e c u rity v u ln e ra b ilitie s , a n d o r its s u p p o r t i n g bugs and
u s a b ility o r p e r fo r m a n c e
o f a c o m p u te r p ro g ra m
d a ta . A p a tc h
ca n b e c o n s id e re d a re p a ir jo b to a p r o g r a m m in g p ro b le m . A h o t f i x is a p a c k a g e t h a t i n c l u d e s v a r i o u s f i l e s u s e d s p e c i f i c a l l y t o a d d r e s s v a r i o u s p r o b l e m s o f s o f t w a r e . H o t f i x e s a r e u s e d t o f i x b u g s in a p r o d u c t . U s e r s a r e u p d a t e d a b o u t t h e l a t e s t h o t f i x e s b y v e n d o r s th r o u g h e m a il o r th e y ca n b e d o w n lo a d e d f r o m u p d a te to fix a s p e c ific c u s to m e r is s u e and not a lw a y s th e o ffic ia l w e b s ite . H o tfix e s a re a n d is trib u te d o u ts id e th e c u s to m e r
o rg a n iz a tio n . U se rs m a y b e n o tifie d th r o u g h
e m a ils o r t h r o u g h th e v e n d o r 's w e b s ite . H o tfix e s
a re s o m e t im e s p a c k a g e d as a s e t o f fix e s c a lle d a c o m b in e d h o t f ix o r s e rv ic e p a c k .
Module 12 Page 1689
W h a t Is P a tc h M a n a g e m e n t?
J
CEH
"Patch m an ag em en t is a process used to en su re th a t th e a p p ro p ria te p atch e s are installed on a system and help fix known vulnerabilities"
An a u to m a te d patch m a n a g e m e n t process:
Maintain: Subscribe to get notifications about vulnerabilities as they are reported
Detect: Use tools to detect missing security patches
Deploy: Deploy the patch to the computers and make sure the applications are not affected
Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision
Test: Install the patch first on a testing machine to verify the consequences of the update
Acquire: Download the patch for testing
h a t
I s
P a t c h
a n a g e m
e n t ?
v -
A c c o rd in g to
h tt p ://s e a r c h e n te r p r is e d e s k to p .te c h ta r g e t.c o m , p a tc h
m a n a g e m e n t is
an a re a o f s y s te m s m a n a g e m e n t t h a t in v o lv e s a c q u irin g , te s tin g , a n d in s ta llin g m u ltip le p a tc h e s ( c o d e c h a n g e s ) t o a n a d m i n i s t e r e d c o m p u t e r s y s t e m . It i n v o l v e s t h e f o l l o w i n g :

1.
C h o o s in g , v e r ify in g , te s tin g , a n d a p p ly in g p a tc h e s U p d a tin g p r e v io u s ly a p p lie d p a tc h e s w it h c u r r e n t p a tc h e s L istin g p a tc h e s a p p lie d p r e v io u s ly t o t h e c u r r e n t s o f t w a r e R e c o rd in g re p o s ito r ie s , o r d e p o ts , o f p a tc h e s f o r easy s e le c tio n A s s ig n in g a n d d e p lo y in g th e a p p lie d p a tc h e s It is v e r y i m p o r t a n t t o a lw a y s d e te c t m is s in g s e c u rity p a tc h e s th r o u g h p roper
D e te c t:
d e t e c t i n g t o o l s . If t h e r e is a n y d e l a y in t h e d e t e c t i o n p r o c e s s , c h a n c e s o f m a l i c i o u s a t t a c k s a re v e r y h ig h .
2. Assess:
O n c e t h e d e t e c t i o n p r o c e s s is f i n i s h e d i t is a l w a y s b e t t e r t o a s s e s s v a r i o u s i s s u e s
a n d t h e a s s o c ia te d fa c to rs re la te d to th e m a n d b e tt e r t o im p le m e n t th o s e s tra te g ie s w h e r e is s u e s c a n b e d r a s t i c a l l y r e d u c e d o r e l i m i n a t e d .
3. A c q u i r e : T h e s u i t a b l e p a t c h r e q u i r e d t o f i x t h e is s u e s h a s t o b e d o w n l o a d e d .
Module 12 Page 1690
4.
T e s t : It is a l w a y s s u g g e s t e d t o f i r s t i n s t a l l t h e r e q u i r e d p a t c h o n t o t h e t e s t i n g s y s t e m r a t h e r
th a n th e u p d a tin g .
5.
m a in s y s te m
as t h i s p r o v i d e s a c h a n c e t o v e r i f y t h e v a r i o u s c o n s e q u e n c e s o f
D e p l o y : P a t c h e s a r e t o b e d e p l o y e d i n t o t h e s y s t e m s w i t h u t m o s t =, so n o a p p l i c a t i o n o f
t h e s y s t e m is a f f e c t e d .
6. M a in ta in :
It is a l w a y s u s e f u l t o s u b s c r i b e t o g e t n o t i f i c a t i o n s a b o u t v a r i o u s p o s s i b l e
v u l n e r a b i l i t i e s as t h e y a r e r e p o r t e d .
Module 12 Page 1691
I d e n t i f y i n g U p d a t e s a n d
p p r o p r i a t e P a t c h e s
S o u r c e s
f o r
CEH
First make a patch management plan that fits the operational environment and business objectives
Find appropriate updates and patches on the home sites of the applications or operating systems' vendors
The recommended way of tracking issues relevant to proactive patching is to register to the home sites to receive alerts
I d e n t i f y i n g - i'l
A p p r o p r i a t e
S o u r c e s
f o r
U p d a t e s
a n d
'-s
P a t c h e s
It is v e r y i m p o r t a n t t o i d e n t i f y t h e a p p r o p r i a t e s o u r c e f o r u p d a t e s a n d p a t c h e s . Y o u s h o u l d t a k e care o f th e fo llo w in g th in g s re la te d to p a tc h m a n a g e m e n t. P a tc h m a n a g e m e n t t h a t s u its th e o p e ra tio n a l e n v iro n m e n t and b u s in e s s o b je c tiv e s
s h o u ld be p ro p e r ly p la n n e d . F in d a p p r o p r i a t e u p d a t e s a n d p a t c h e s o n t h e h o m e s i t e s o f t h e a p p l i c a t i o n s o r o p e r a t i n g s y s te m s ' v e n d o rs . T h e r e c o m m e n d e d w a y o f t r a c k i n g is s u e s r e l e v a n t t o p r o a c t i v e p a t c h i n g is t o r e g i s t e r t o th e h o m e site s t o re c e iv e a le rts .
Module 12 Page 1692
In s ta lla tio n o f a P a tc h
0 0
CEH
U sers can access an d install security p atch e s via th e W orld W ide W eb

P a t c h e s c a n b e i n s t a l l e d in t w o w a y s M a n u a l In s ta lla tio n
9 0
In this m ethod, the user has to d o w nlo ad the patch from the vendor and fix it
A u to m a tic In s ta lla tio n
In this method, the applications use the A u to U pdate feature to update them selves
, W
Copyright by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
I n s t a l l a t i o n
o f a
P a t c h
Y ou s h o u ld s e a rc h f o r a s u ita b le p a tc h a n d in s ta ll it f r o m i n s t a l l e d in t w o w a y s : M a n u a l In s ta lla tio n
I n t e r n e t . P a tc h e s can be
In t h e m a n u a l i n s t a l l a t i o n p r o c e s s , t h e u s e r d o w n l o a d s t h e s u i t a b l e p a t c h f r o m t h e v e n d o r a n d f i x e s it. A u to m a tic In s ta lla tio n In a u t o m a t i c i n s t a l l a t i o n , t h e a p p l i c a t i o n s , w i t h t h e h e l p o f t h e a u t o u p d a t e f e a t u r e , w i l l g e t u p d a te d a u to m a tic a lly .
Module 12 Page 1693
I m
p l e m
e n t a t i o n P a t c h o r
a n d U
e r i f i c a t i o n
o f
S e c u r i t y
p g r a d e
B efore installing any patch verify th e source
Use p ro p e r patch m a n a g e m e n t program to v alidate files versions and checksum s b efo re deploying security p atch e s
The patch m a n a g e m e n t to o l m u st be able to m o n ito r th e p atch e d system s
< *'
The patch m a n a g e m e n t te a m should check for u p d a te s and p atch e s regularly
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
" 1
I m o r
p l e m
e n t a t i o n
a n d
e r i f i c a t i o n
o f a
S e c u r i t y
P a t c h
U p g r a d e
Y o u s h o u ld b e a w a re o f a f e w th in g s b e fo r e im p le m e n t in g a p a tc h . T h e fo llo w in g th in g s s h o u ld b e k e p t in m i n d : B e fo re in s ta llin g a n y p a tc h s o u rc e , it s h o u ld be p ro p e rly v e rifie d . Use a p ro p e r p a tc h
m a n a g e m e n t p r o g r a m t o v a lid a te file v e rs io n s a n d c h e c k s u m s b e fo r e d e p lo y in g s e c u rity p a tc h e s . 0 T h e p a tc h m a n a g e m e n t te a m s h o u ld c h e c k f o r u p d a te s a n d p a tc h e s re g u la rly . A p a tc h
m a n a g e m e n t to o l m u s t b e a b le t o m o n it o r t h e p a tc h e d s y s te m s .
Module 12 Page 1694
P a t c h
a n a g e m
e n t A
T o o l:
i c r o s o f t ( M B S A )
B a s e l i n e
S e c u r i t y
n a l y z e r
J J
Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server It also scans a computer for insecure configuration settings
Microsoft Baseline Security Analyzer 2.2
1 !
P ^
f B aseline S e curity A n a ly ze r
R e p o rt D etails fo r WORKGROUP - WIN-MSSELCK4K41 (2 0 1 2 -1 0 -1 2 10 :2 8 :0 6 )
Inrompfc'te Scan (Could not complete one o
e requested checks.)
(onHMtfnumr IP Address: S T report van darr S u n td nfth H8SA version: v a r t y pA>rr catalog: Sett Ooo V
V 'O R X G R C X J 3\W JNSB.Q<'K>l 1*9.254.103.138 ,*CRKG RO UP W N-M SSQ lCMMI (10-12*2012 10-28 AM ) 10/12/2012 10:28 A M 2.2.2170.0
Svtunty llpdj( Sun Rm 1R %
Offc* Sccunty
Nc fearit? 4xi1U; a
h ttp : //w w w .m ic r o s o ft.c o m
Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P a t c h * S ^
a n a g e m ( M
e n t
T o o l :
i c r o s o f t
B a s e l i n e
S e c u r i t y
A n a l y z e r
B S A )
S ource: h t t p : / / w w w . m ic r o s o f t . c o m T h e M i c r o s o f t B a s e li n e S e c u r i t y A n a l y z e r ( M B S A ) a l l o w s y o u t o i d e n t i f y m i s s i n g s e c u r i t y u p d a t e s a n d c o m m o n s e c u r i t y m i s c o n f i g u r a t i o n s . It is a t o o l d e s i g n e d f o r t h e IT p r o f e s s i o n a l t h a t h e l p s s m a lland m e d iu m -s iz e d b u s in e s s e s d e te rm in e th e ir s e c u rity sta te in a cco rd a n ce w ith
M ic r o s o f t s e c u rity r e c o m m e n d a tio n s a n d o ffe r s s p e c ific r e m e d ia t io n g u id a n c e . Im p r o v e y o u r s e c u r ity m a n a g e m e n t p ro c e s s b y u s in g M B S A t o d e t e c t c o m m o n s e c u r ity m is c o n f ig u r a t io n s a n d m is s in g s e c u r ity u p d a te s o n y o u r c o m p u t e r s y s te m s .
Module 12 Page 1695
Microsoft Baseline Security Analyzer 2.2

1
M icro so ft
t 1 B a s e lin e S e c u r ity A n a ly z e r
Report Details for WORKGROUP - WIN-MSSELCK4K41 (2012-10-12 10:28:06)

fl Security assessment:
Incom plete Scan (Could n o t com plete one or m ore requested checks.)
Computer name: IP address: Security report name: Scan date: Scanned with MBSA version: Catalog synchronization date: Security update catalog: Sort Order: Score (worst first) v
Security Update Scan Results
W ORKGROUP\WIN-M SSELCK4K41 169.254.103.138 W ORKGROUP W IN-M SSELCK4K41 (10-12-2012 10-28 A M ) 10/12/2012 10:28 A M 2.2.2170.0 Microsoft Update
Score
Issue Developer Tools, Runtimes, and Redistributables Security Updates Office Secunty Updates SQ L Server Security Updates
Result No security updates are mssng.

W hat w as sca n n ed R esult d e ta is
No security updates are mssng.

W hat w as sca n n ed W hat w as sca n n ed R esult d e ta is R esult d e ta is
No security updates are missng.
P r n t this re p o rt
I Q o p y to <ipboard
g |
P re v io u s se cu rity r ep ort
FIGURE 12.30: Microsoft Baseline Security Analyzer (MBSA)
Module 12 Page 1696
P a tc h M a n a g e m e n t Tools
Altiris Client M an ag em en t Suite Prism Patch M anager
C EH
(itifwd 1 tfeMJl Nm Im
2 - S
http://w w w .sym antec.com
http://w w w .new boundary.com
http://w w w .g fi.co m
GFI LANguard
r i
MaaS360 Patch Analyzer Tool U
http://w w w .m aas360.com
http://w w w .kaseya.co m
Kaseya Security Patch M a n ag em en t
http://secunia.co m
Secunia CSI
http://w w w .novell.com
ZENworks Patch M a n ag em en t
http://w w w .lum ension.com
Lumension Patch and R em ediation
http://w w w .m anageengine.com
Security M an ag er Plus
http://w w w .vm w a re,co m
V M ware vC enter P rotect
P a t c h In m is s in g
a n a g e m to
e n t a re
T o o ls m any com m on o th e r to o ls s e c u rity th a t can be used A fo r id e n tify in g of p a tc h
a d d itio n
M BSA, th e re u p d a te s ,
p a tc h e s ,
s e c u rity
and
m is c o n fig u ra tio n s .
lis t
m a n a g e m e n t to o ls fo llo w s : A ltir is C lie n t M a n a g e m e n t S u ite a v a ila b le a t h t t p : / / w w w . s v m a n t e c . c o m GFI L A N g u a r d a v a ila b le a t h t t p : / / w w w . g f i . c o m K a se ya S e c u rity P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . k a s e y a . c o m Z E N w o rk s P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . n o v e ll. c o m S e c u r it y M a n a g e r P lu s a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m P ris m P a tc h M a n a g e r a v a ila b le a t h t t p : / / w w w . n e w b o u n d a r y . c o m M a a S 3 6 0 P a tc h A n a ly z e r T o o l a v a ila b le a t h t t p : / / w w w . m a a s 3 6 0 . c o m S e c u n i a CSI a v a i l a b l e a t h t t p : / / s e c u n i a . c o m L u m e n s io n P a tc h a n d R e m e d ia tio n a v a ila b le a t h t t p : / / w w w . l u m e n s io n . c o m V M w a r e v C e n te r P ro te c t a v a ila b le a t h t t p : / / w w w . v m w a r e . c o m
Module 12 Page 1697
M o d u le F lo w
CEH
o d u l e
F l o w a lw a y s b e s e c u re d in t h e n e tw o rk e d c o m p u tin g e n v iro n m e n t to and m anaged w ith
W eb
s e rv e rs s h o u ld
a v o id t h e t h r e a t o f b e in g a tta c k e d . W e b th e h e lp o f w e b s e rv e r s e c u rity to o ls .
s e rv e r s e c u rity ca n
be m o n ito re d
W e b s e r v e r C o n c e p ts
a
A tta c k M e th o d o lo g y N
T h is s e c t io n lis ts a n d d e s c r ib e s v a r i o u s w e b s e r v e r s e c u r i t y t o o ls .
Module 12 Page 1698
Web Application Security Scanner: Syhunt Dynamic

J
r u J L E !7
Syhunt Dynamic helps to a u to m a te w eb application security testing and guard organization's w eb in frastru ctu re against various w eb application security th re ats
W ^
e b
p p l i c a t i o n
S e c u r i t y
S c a n n e r :
S y h u n t
y n a m
i c
S o u rce : h ttp ://w w w .s y h u n t.c o m a u to m a te web a p p lic a tio n s e c u rity te s tin g and g u a rd o r g a n iz a tio n 's
S y h u n t D y n a m ic h e lp s t o
w e b in f r a s t r u c t u r e a g a in s t v a r io u s w e b a p p lic a tio n s e c u rity th re a ts . F e a tu re s : e B la c k -B o x T e s tin g Assess th e web a p p lic a tio n s e c u rity th ro u g h re m o te s c a n n in g .
S u p p o rts a n y w e b s e rv e r p la tfo rm . 0 W h ite - B o x T e s tin g - By a u t o m a t in g th e p ro c e s s o f r e v ie w in g th e w e b a p p lic a tio n 's c o d e , S a n d c a t's th e m code s c a n n in g fu n c t io n a lit y can m ake th e life of QA te s te rs e a s ie r, h e lp in g
q u ic k ly fin d a n d e lim in a te s e c u rity v u ln e ra b ilitie s fr o m
w e b a p p lic a tio n s . S u p p o rts
AS P, A S P .N E T , a n d PHP. Q C o n c u rre n c y /S c a n Q ueue S u p p o rt - M u ltip le s e c u rity scans can be queued and th e
n u m b e r o f t h r e a d s ca n b e a d ju s te d . D e e p C ra w lin g - R uns s e c u rity te s ts a g a in s t w e b URL o r a s e t o f URLs p ro v id e d b y th e u se r. Advanced In je c tio n M a p s th e e n tire w e b s ite s tru c tu re (all lin k s , f o r m s , X H R r e q u e s t s , p a g e s d is c o v e re d b y c r a w lin g a s in g le
a n d o t h e r e n tr y p o in ts ) a n d trie s t o fin d c u s to m , u n iq u e v u ln e r a b ilitie s b y s im u la tin g a
Module 12 Page 1699
w i d e r a n g e o f a t t a c k s / s e n d i n g t h o u s a n d s o f r e q u e s t s ( m o s t l y GE T a n d POST). T e s ts f o r SQL I n j e c t i o n , XSS, File I n c l u s i o n , a n d m a n y o t h e r w e b a p p l i c a t i o n v u l n e r a b i l i t y c la ss e s. R e p o rtin g - G e n e ra te s a r e p o r t c o n ta in in g in f o r m a t io n a b o u t th e v u ln e r a b ilitie s . A fte r e x a m in in g th e a p p lic a tio n 's re sponse to th e a tta cks, if th e ta rg e t URL is fo u n d
v u l n e r a b l e , i t g e t s a d d e d t o t h e r e p o r t . S a n d c a t ' s r e p o r t s a ls o c o n t a i n c h a r t s , s t a t i s t i c s and c o m p lia n c e in fo rm a tio n . Syhunt o ffe rs a set of r e p o r t te m p la te s ta ilo re d fo r
d iffe r e n t a u d ie n c e s . L o c a l o r R e m o t e S t o r a g e S ca n r e s u l t s a r e s a v e d l o c a l l y ( o n t h e d is k ) o r r e m o t e l y (in t h e S a n d c a t w e b s e r v e r ) . R e s u lt s c a n b e c o n v e r t e d a t a n y t i m e t o H T M L o r m u l t i p l e o t h e r a v a ila b le fo r m a ts . In a d d i t i o n t o its G U I ( G r a p h i c a l U s e r I n t e r f a c e ) f u n c t i o n a l i t i e s , S y h u n t o f f e r s a n e a s y t o use c o m m a n d - lin e in te rfa c e .

V
* <tt
1304715758 |d#mo.*y*mnt<om) Stndctt Pro Hyfend

lo c h tjdp
H K h
RWJ
J)
j < 0* com 80 B j Ho*> Mamahon
M (m * t
9 3 J$4MdP*9
jQ Souk StudiM a ; **m m M Souc* a (a URL1 B WabSfeucM (tel d on
14 p*>
. 1 1 1 * m(1le php 9 j! R_b*taC php t. H_bt*C_ptuS1WV
O , **ion
. ^ >Jot*pN>
n d n hid dm php *riefcgence
Anyang rata* Dor O a d to f wboh Mi Owcfcng icbau fan
SpdH ro^sxtngS lapr*N d S p d w n o ^ ap A n o c c c M * d

SU>r CiOM $4 Sovmo TMl
found _bwKp*pXS$ F *d p**> >SS fotstd _toj*XSS
Ow*pouSMS< K a /XSS a
Id26|
FIGURE 12.31: Syhunt Dynamic Screenshot
Module 12 Page 1700
W e b
A p p lic a t io n
S e c u r ity
S c a n n e r: S e c u r ity S c a n n e r
N - S ta lk e r W e b
A p p lic a t io n
EH
A
N-Stalker is a W ebA pp Security S can n er to search for vulnerabilities such as SQL injection, XSS, and known attacks
W A
e b
p p l i c a t i o n
S e c u r i t y
S c a n n e r :
- S t a l k e r
e b
p p l i c a t i o n
S e c u r i t y
S c a n n e r
S ource: h t t p :/ / w w w .n s t a lk e r . c o m N - S t a l k e r W e b A p p l i c a t i o n S e c u r i t y S c a n n e r is a w e b s e c u r i t y a s s e s s m e n t s o l u t i o n f o r y o u r w e b a p p l i c a t i o n s . It is a s e c u r i t y a s s e s s m e n t t o o l t h a t i n c o r p o r a t e s N - s t e a l t h H T T P s e c u r i t y s c a n n e r . It s e a r c h e s f o r v u l n e r a b i l i t i e s such as SQL i n j e c t i o n , XSS, a n d known a tta c ks . It h e l p s in
m a n a g i n g t h e w e b s e r v e r a n d w e b a p p l i c a t i o n s e c u r i t y . T h is s e c u r i t y t o o l is u s e d b y d e v e l o p e r s , s y s t e m / s e c u r i t y a d m i n i s t r a t o r s , IT a u d i t o r s , a n d s t a f f .
Module 12 Page 1701
"
N-Sta!ker Web Application Security Scanner 2012 - Free Edition

Sc*r Opon
**J
Scaror
1 T>!r*a4t
1 * , ' 5 , *
I < IJ t , r iM ^ N ih a Control 1
I 6 * | Thraâ CofUfW
Scann er I v m t t
o
Q
Vu*eraM*
hBp J v a * C*1V< | App*cton gn | O H v tfM n tt*
B# n a p < rw n n r
0#/
| x.P *
U C fO M IW ftM rvr*
0#
9 | W at Fom a**
0 #
|
$ *rv a r< B Htgh(!
Mm1(9> lo w 7) M o (t )
f f l + /* c x h titf
0 MCvrW a6A
Hm W
m tm m k ______
By<aa$*nc Avg Rm oo ^m Tmt A .g T ,ar*f B jf* 1102 121 I 903 970 K IM m i 9 91 S M B * 198 00 r#9 n an
ffl +
Com ponent Mam d f r Wafc Sarvar tonnalon Found ttC T M iftM jJ j f Wa* Sarva* Tacftm*>ffy Oataaad Sarva * * Sd Tac*c* 9y Fo NCT FramewoA M feA tow * W M f W M r ce*180/<9oat N
?*MWO'd
W a f cfo n *F O y N j
S a n N m K | j / . Cowpontnt t 1 ^ 1 Scan EvtnH
FIGURE 12.32: -Stalker Web Application Security Scanner
Module 12 Page 1702
Web Server Security Scanner: W ikto
e b
S e r v e r
S e c u r i t y
S c a n n e r :
i k t o
S ource: h tt p :/ /w w w .s e n s e p o s t .c o m W i k t o is f o r W i n d o w s , w i t h a c o u p l e o f e x t r a f e a t u r e s i n c l u d i n g f u z z y lo g ic e r r o r c o d e c h e c k i n g , a backend m in e r, G o o g le -a s s is te d d ire c to ry m in in g , a n d re a l-tim e HTTP r e q u e s t /r e s p o n s e
m o n i t o r i n g . W i k t o is c o d e d i n C # a n d r e q u i r e s t h e .N E T f r a m e w o r k . W i k t o m a y n o t t e s t f o r SQL i n j e c t i o n s , b u t i t is s ti l l a n e s s e n t i a l t o o l f o r p e n e t r a t i o n t e s t e r s w h o a r e l o o k i n g f o r v u l n e r a b i l i t i e s in t h e i r I n t e r n e t - f a c i n g w e b s e r v e r s .
Module 12 Page 1703
Module 12 Page 1704
W A
e b
S e r v e r W
S e c u r i t y e b V
S c a n n e r : S c a n n e r
c u n e t i x
u l n e r a b i l i t y
CEH
Urt1fw4 ilhiul lUthM
Acunetix WVS checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools to ease manual security audit processes, and also creates professional security audit and regulatory compliance reports
Acunetix W eb Vulnerability Scanner (Free Edition) Hie
-M B
^ te w S c a n|G f cp c ,
Actions
Tools
Configuration
Hdp
_] abilty Scanner % * Web Eesnner 3 t_i' Tcoi i !# Site Crawler p Target H n<fer-; ; Siijdaman Scarner j | ) j | Bind SQL injector
a 4' 'A^
>-
L*
Start M .: 5 : > *sc rw 3n:3C, kt Ak rt5 simrw
A Renar:
* \Ptofle: Defeu
B unptdar :
IITPSnffer
j $ AutJxnoeatwn icsta SJ Compare Resilts ; S rv w W*bSctMcca Scamci : Wtb Servers EdM r* 4 : 34 1 Confiqwatcn Si Aodtatton Sitthos! i J, seanstm o * : (j Surnrq Profit it (& Grrwnl A Proynm Update: * *)- Vwtort Jnform aoon jyLcenaro ; Sijjpcrt Center ) :
afc W eb Alerts V - KnowieSoe Base F $ 1 Site Structure E t / ff t o *out .me bt t o rt t o <tornb8<*r e t o es to c r j a lr w W tO L6 StCtt JMQt jmocSas lKfcJ*"9eJ ^ 0 B 1 1 (O 9 M tA karroo 1 1 lO ,4' v*' It t o u i o *jeMonjh*
ocun#l threat lvl Uvol 0: Sofo 0K rcrbt*:n otxDen 'orNfcen ' 0t*d?en 1 othsuvi **P oo * Hstrnfid (X ortxteen (X > 1
*
! loU lrrtfound
05 O M M rn
O i
O mrormjikxMi
3HLi-
TjrgrtMormjUgn Xtonict Prowess
http:/Avwwju00Vl)0y.<0m:80/ )61 request! san is finisned a . 10a 00% Q
< [________________ _______________ I
10.13 > 0 :0VV., [Warning] Samng onty tor XV* (er w u tr vnphn^) vulirrabAhrt
Copyright by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W B V
e b
S e r v e r
S e c u r i t y
S c a n n e r :
A c u n e t i x
e b
u l n e r a b i l i t y
S c a n n e r
S o u rce : h ttp ://w w w .a c u n e tix .c o m A c u n e tix W eb V u ln e ra b ility Scanner checks web a p p lic a tio n s fo r SQL in je c tio n s , c ro s s -s ite
s c r ip tin g , e tc . It in c lu d e s a d v a n c e d p e n e t r a t i o n t e s t i n g t o o l s t o e a s e t h e m a n u a l s e c u r it y a u d i t p ro c e s s e s , a n d a ls o c r e a te s p r o f e s s io n a l s e c u r it y a u d it a n d r e g u la t o r y c o m p li a n c e r e p o r t s .
Module 12 Page 1705
&
fa Actions . T00H Jl ^ Configuration J H NcwScjn Tod @ Art) yjneraMty Scanner 1*_ Web Scanner
Acunetix Web Vulnerability Scanner (Free Edition) B | g ** |a

Q ld f
A | a I I *
/ StvtURi: n t t p : / / r t m c o m : * ) / Profile: [> JSU rt
A 'S.
ft Report
Scan R ew h
S W u t
A. Akrtt Mjm m jty

li
A o < u n (l threat level
a& T ools
J ; Ste Crawler Target FrxJcr ^ Subdoman Scanner .J Bind SQL In)ector { 3 HTTPEdtor HTTP Snrffer * HTTPFuwer $ Authenocatwn Tester B Compare Resdts 3 H & Web Services af Web Services Scanner J S Web Services Edtor S ConfigâBon > Appfca&on Settings Scan Settings Sr w n g B fo S w 3 & General Program Updates - Veron Information
V *K n o w le d g e0 m
B { j) Site Structure
jb HHbdrti
I/
L evel 0: S afe
A<unrt1x Threat Level 0 ! have been ik K v n in l 1
<
Total *lefts found
(jQ about_me artwork 10 download! B L *
,Q
a r tan <al-mages
M * tF a rd
NF 0iX1d NK Found Mu Foind
S (jQ htrrtSmeda stacks_page_page0 .css stacks_page_page0 .js a uQ (,Q 1 ^ t (jQ games karma Ifcstyte mytotog quesfconjhe.nJes
o 0
Medium Informational Target information Statistics Progress
O low
1
Mtp:/Awvvv.juggytoy.com:80/ 381 requests Scan is finished
*
00.oos
.-* i f t m common. 4 |j Support Center
4 iP u rc h a s e
4>j User Manual (htmf) 4 ] User Manual (pdf) AajSeraor
10.12 2005.55, [Warning] Scanmno onty lor XSS (a
Appfccaoon log Error Log [
FIGURE 12.34: Acunetix W eb Vulnerability Scanner
Module 12 Page 1706
W M
e b
S e r v e r
a l w
a r e H
I n f e c t i o n l e r t
o n i t o r i n g
T o o l:
a c k A
CEH
HackAlert is a cloud-based service that identifies hidden zero-day malware and drive-by downloads in websites and online advertisements 8 Protects clients and customers from malware injected websites, drive by downloads, and malicious advertising a Identifies malware before the website is flagged as malicious o Displays injected code snippets to facilitate remediation t* Deploys as cloud-based SaaS or as a flexible API for enterprise integration 9 Integrates with WAF or web server modules for instant mitigation
H a c k A le rt
CK*>90
[n te f Dj* n l 5tKl M l
aom un AdMsfiews
mas A vriw *1
PKXtWIK 7t N M I}
/ X
h ttp : //w w w .a r m o r iz e .c o m
W H
e b
S e r v e r
a l w
a r e
I n f e c t i o n
o n i t o r i n g
T o o l:
a c k A l e r t
S o u rce h ttp ://w w w .a rm o riz e .c o m H a c k A le rt d o w n lo a d s th is th e and s e rv ic e is in a c lo u d -b a s e d w e b s ite s and s e rv ic e o n lin e th a t id e n tifie s h id d e n z e ro -d a y m a lw a re and d riv e -b y
a d v e rtis e m e n ts . and
O p tim iz in g a la rm s
m u ltip le
a n a ly s is te c h n iq u e s , e n g in e s b la c k lis t
id e n tifie s
in je c te d
m a lw a re
g e n e ra te s to
b e fo re
s e a rc h
w e b s ite . T h is e n a b le s revenues. It is
im m e d ia te v ia
re m e d ia tio n a
p ro te c t c u s to m e rs , SaaS in te rfa c e or
b u s in e s s a
re p u ta tio n , API th a t
accessed
e ith e r
w e b -b a s e d
fle x ib le
fa c ilita te s in te g r a tio n w it h e n te r p r is e s e c u rity to o ls .
Module 12 Page 1707
H a c k A le r t Uf 7 D*r PPck1
]j ; 0 * 03
km
U rO mmMW ai
A*
Jl I 1
r*M H #)
04 M m TC4 S 4 m r 1f1 m f d
) 1$}
* < 1 M I^Mt
AV
T0MSc4nt
___1 *J
\
2 10 <1 01 02
FIGURE 12.35: HackAlert Screenshot
Module 12 Page 1708
W e b
S e r v e r M a lw a r e
I n f e c t io n
o n it o r in g
T o o l: Q u a ly s G u a r d
M a lw a r e
D e te c tio n
to ftN M tfe M jl N M h M
C EH
QualysGuard Malware Detection Service scans websites for malware infections and threats
4 r
"
> .
.v0 . https portaljûal/5.con :
-iashocard
l \ .
Step 5 of 5 1 2 4 0 Details ScM wttinj* 1/ Reiiew and ccnfim you setirgs Site Details w Own Site seeUR. kttp: 1 7v/ww.mwrboy.1on Tag AMgntd 1 - n Scan Options Ptg 200 ion Into ne (? N mtm Ku lW. I..V 1m m , Crawl xaution list* o ^0 St-* 1* 4 ii C porta .qjayicorr
if
0LA D TSC lW R 1y
MOt
Crawl exclusion llsls S<h*d*li*g Hvm and CoWitm </
Dashboard
Scans
R tpX i
Assets
K/x>v*cdgOase
) .(
fw t
'
Wtire 11 (RmiiM Hnmunf*)
h t t p : / / w w w . q u a ly s . conr
Copyright by EG-G(l]ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W Q
e b
S e r v e r
a l w M
a r e
I n f e c t i o n D
o n i t o r i n g
T o o l:
u a l y s G
u a r d
a l w
a r e
e t e c t i o n
S ource: h t t p : / /w w w . q u a ly s .c o m Q u a ly s G u a rd M a lw a r e D e te c tio n S e rv ic e scans w e b s it e s t h o r o u g h ly f o r m a lw a r e in fe c tio n s
a n d f o r a v a r i e t y o f t h r e a t s . It p r o v i d e s a u t o m a t e d a l e r t s a n d r e p o r t s t h a t e n a b l e y o u t o i d e n t i f y a n d r e s o l v e t h e t h r e a t . It c a n a ls o b e u s e d t o p r o t e c t t h e c u s t o m e r s o f a n o r g a n i z a t i o n f r o m m a l w a r e i n f e c t i o n s a n d s a f e g u a r d t h e i r b r a n d r e p u t a t i o n s , p r e v e n t i n g w e b s i t e b l a c k l is t in g . It r e g u l a r l y s c h e d u l e s s c a n n i n g t o m o n i t o r w e b s i t e s o n a n o n g o i n g b a sis , w i t h e m a i l a l e r t s t o q u ic k ly n o t if y o rg a n iz a tio n s w h e n in fe c tio n s a re d is c o v e re d . M a lw a r e in fe c tio n d e ta ils are
p r o v i d e d so t h a t o r g a n i z a t i o n s c a n t a k e q u i c k a c t i o n t o i s o l a t e a n d r e m o v e m a l w a r e .
Module 12 Page 1709
4-
fl
1 iusi http!
portal q u jty v c o m /p o n a i fro n t/ m o d u le /n u lw a r e / X tb 'd M X b o w d
Site Creation
Step 5 of 5
1 2 3 Sit [) tails S c a n settin g s
Turn h e lp tp s
IOft
Review and confirm your settings
^
y
Sit [)tails
Title O w n S ite SitiURL h ttp:// w w w .jugo vb oy .co m
C raw l e x clu s io n lists S c h e d u lin g
Tags
Aiagncd tags
R e v ie w an d Confirm
Scan Options
Maxnxjm Pages
?00
No head er? h ave b een defined.
to
Crawl *elusion lists

W hitoU ft
Wtur* I ! fRrk1iar F
1 3 =
QtalysGuard Portal
la
Quaiys.inc[US]
hrtps:;/portal.qualycom/po al-trcnt/mocule/maiware/*ta =scans.scan-H stofy
0UALYSGUARD*
MDS Dashboard Scans Reports Assets KnowledgeBase
Help Rini Matthews v L >g Oul
30 cays remanng in yourtnai. ipgraoe now
Scan M anagem ent

< Ba:k 10 scan list
Own Site
1 - 20 of 3 10
&
Page URL 0 rj 0 httpy/www.juggytwy.com hrtpy/www.jjggyboy.com'Lifestyift'styleflyndex. itml httpy/www.jjggyboy.comlGan 1es<'Slot_Hachne/hdex.htrl hrtpy/www.jjggytMy.cofa'Games'IJinesweeper/index.T.ml
Page Name Hone
High 0 0
Med 0 0 0
Low 0 0
Info 0 0
Status fin ish e d
Seventy
Canceled Canceled Canceled Canceled Canceled Canceled Canceled Canceled
0 0
0 0
0 0
0
0 0
0
9
0
F ] hrtpy/www.juggytoy.com'indexhtml 0 http^/ww w.ju ggyboy.co irtabout_re.'index htnl hctpy/Aww.jjggyboy.corrxsemfeld/ndex.T.nil hctpy/Aww.jjcgyboy.com<5 ueston_:he_rules'inCexltm http://www.juggyboy.corrVKama/ndex.T.ml
I) 1 ) 0
D
0
0
0 0
0
0 0 0
0
0 0
0
0
About |Terns of Use |
FIGURE 12.36: QualysGuard Malware Detection Screenshot
Module 12 Page 1710
W e b s e rv e r S e c u rity Tools
JH L f R e tna c s http ://w w w .beyondtrust.co m
CEH
http://w w w .nstalker.co m
N -Stealth Security S canner
http://w w w .netiq.com
NetlQ Secure Configuration M anager
http://w w w .infiltra tio n -system s.co m
Infiltrator
http://w w w .saintcorporation.com
SAINTscanner
http://sec4app.co m
W ebC ruiser
La\
https://dow nload.hpsm artupdate.com
HP W eb ln sp ect
http://w w w .applicure.com
d o tD e fe n d e r
W c
e b s e r v e r
S e c u r i t y
T o o ls
W e b s e r v e r S e c u r it y t o o ls s c a n la rg e , c o m p le x w e b s it e s a n d w e b a p p lic a t io n s t o ta c k le v u ln e ra b ilitie s . ris k , ra n k th re a t These to o ls id e n tify a p p lic a tio n v u ln e ra b ilitie s in tu itiv e as w e ll as s ite and
w e b -b a se d e xp o su re
p rio rity ,
p ro d u ce
h ig h ly
g ra p h ic a l,
HTML
re p o rts ,
in d ic a te s ite s e c u r ity p o s tu r e to o ls in c lu d e :
b y v u ln e r a b ilit ie s a n d t h r e a t le v e l. S o m e o f w e b
s e rv e r s e c u rity
R e t i n a CS a v a i l a b l e a t h t t p : / / w w w . b e y o n d t r u s t . c o m N s c a n a v a ila b le a t h t t p :/ / n s c a n . h y p e r m a r t . n e t N e tlQ S e c u re C o n fig u ra tio n M a n a g e r a v a ila b le a t h t t p : / / w w w . n e t iq . c o m S A IN T S c a n n e r a v a ila b le a t h t t p : / / w w w . s a in t c o r p o r a t io n . c o m HP W e b ln s p e c t a v a ila b le a t h t t p s :/ / d o w n lo a d .h p s m a r t u p d a t e . c o m A r ir a n g a v a ila b le a t h t t p : / / m o n k e y . o r g N -S te a lth S e c u rity S c a n n e r a v a ila b le a t h t t p : / / w w w . n s t a lk e r . c o m In f ilt r a t o r a v a ila b le a t h t t p :/ / w w w .in f ilt r a t io n - s y s t e m s .c o m W e b C r u is e r a v a ila b le a t h t t p :/ / s e c 4 a p p .c o m d o t D e fe n d e r a v a ila b le a t h t t p : / / w w w . a p p lic u r e . c o m
Module 12 Page 1711
M o d u le F lo w
CEH
o d u l e
F l o w id e a b e h in d e t h i c a l h a c k i n g is t o hack yo u r o w n n e tw o rk o r s y s te m in a n
T h e w h o le
a t t e m p t t o f in d t h e v u ln e r a b ilitie s a n d fix t h e m a p e n e tra tio n te s te r, you s h o u ld conduct a
b e fo r e a rea l a tta c k e r e x p lo its t h e m p e n e tra tio n te s t on web s e rve rs
s y s te m . As in o rd e r to
d e t e r m i n e t h e v u l n e r a b i l i t i e s o n t h e w e b s e r v e r . Y o u s h o u l d a p p l y a ll t h e h a c k i n g t e c h n i q u e s f o r h a c k in g w e b s e rv e r s . T h is s e c t io n d e s c r ib e s w e b s e r v e r p e n t e s t in g t o o ls a n d t h e s te p s in v o lv e d in w e b s e r v e r p e n t e s t i n g . R L ) W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
^ __ ^
1 j
P a tc h M a n a g e m e n t
Module 12 Page 1712
Web Server Pen Testing Tool: CORE Impact Pro

CORE Impact Pro is the software solution for assessing and testing security vulnerabilities in the organization:
9 0 e e a e W e b A p p lic a tio n s N e tw o r k S yste m s E n d p o in t system s W ire le s s N e tw o rk s N e tw o r k D e vices M o b ile D e vices IPS/IDS a n d o th e r d e fe n s e s
e b
S e r v e r
P e n
T e s t i n g
T o o l :
C O
R E
I m
p a c t
P r o
S ource: h tt p :/ / w w w . c o r e s e c u r it v . c o m
CORE I m p a c t P r o h e l p s y o u in p e n e t r a t i n g w e b s e r v e r s t o f i n d v u l n e r a b i l i t i e s / w e a k n e s s e s in t h e w e b s e r v e r . By s a f e l y e x p l o i t i n g v u l n e r a b i l i t i e s in y o u r n e t w o r k i n f r a s t r u c t u r e , t h i s t o o l id e n tifie s r e a l, t a n g i b l e ris k s t o in fo rm a tio n a s s e ts w h i l e te s tin g th e e ffe c tiv e n e s s o f y o u r
e x i s t i n g s e c u r i t y i n v e s t m e n t s . T h is t o o l is a b l e t o p e r f o r m t h e f o l l o w i n g : I d e n t i f y w e a k n e s s e s in w e b a p p l i c a t i o n s , w e b s e r v e r s , a n d a s s o c i a t e d d a t a b a s e s D y n a m ic a lly g e n e ra te e x p lo its t h a t can c o m p r o m is e s e c u rity w e a k n e s s e s D e m o n s tra te th e p o te n tia l c o n s e q u e n c e s o f a bre a ch G a th e r in fo rm a tio n necessary fo r a d d re s s in g s e c u rity is s u e s and p re v e n tin g d a ta
in c id e n ts
Module 12 Page 1713
Fie
Yew Modiie*
00b
Help
I. ' I
l _ ) L 0 a l
N-w SUt*J rh*hl |Nt1... a a /w o . ^ H r iS 8/24^0. *01 l.bodm 00MPATH rvplat H|S*1/. 8/24/20. y *C Kriuwjt L1 >.J Buffo Ovarflov! PrMtoe EsuriaUw ExvMi 8/24/20... 8/24/20. _r:j *01 fin choc Local PrM fege Escalation E*ptat 1^1 *0( ipdateJlMh PA THceaoe tw b t :gCradt... 8/24/20... 8/24/20. JjJ *nti Keylogger Elte Pnttfcge EscalabonExpert jjtnstal... 8/2^20... 8/24/20. y *ade M ac os x Hlb Local pnvleoe Ef *,* 6'*' ^ e B ... 8/2^20... 8/24/20. g *uat Artima ASAMON.S Y SPlh-lege '*etw... 8/2^ 20... 8 / 21/20. im P H C & Bbe Coat K9W ebProtection Referer Priv *letw... 8/24/20... 8/24/20. P R O F E S S I O N A L cachefsdQuffti O w rui o p bt 3 [ 3 rwl... 9/24/20... 6/24/30. CDRTods R 5Hlocal exploit & S et8/24/20 ...8/24/20 ... . C S R S Sfacenane exfôit 3 CctyNo | 2sJ EbyCOIO Cnvcr Pnvleo; Escalation E This produci is lcnsed 10 E S E TSmart Searity BPFW .SfS Privlegs I 3 $yemlrfo | EC-Council Haja Motadeen Exin A lwrote ConfiQiraton Prwleê E 31 ^!> sf5SD Dynam ic Lrka Privies Esi 3 1 ti Distribution ky IgJ P feeQ S OKernel Protosw Prr.-tegebsrdat S 1 3 !3S CkO m et Lacal Privilege Escalation PreeflSD m bufs asrdfile Ca<hePoso ^ ^ FreeB S Dmcxnt Locd Prlvleoe Escaiatton P e r i o d gj P reeQ S Cpseudoâ NUU Ponter Qerefere[ From : Tuesdav. December 28. 2010 FreeB S DTebetd Serve* Prlvleoe Eacalati *> Q N UGibe ti.50 ORIGIN Prrvlege sca 3 To Thursday June 30, 2011 G N UId.so*fcitrary Dlopsn Prtvtege E sca rtPLnj* Imagnq .ard Prnbng local ex^n 3 G gl BM DrectOf CiM Sever P tN teoee9C3l3fl | IS S S Pjo-.er-Sde [ndude exok*i[ coongni 2002010 core siuntv rchn0109nt 0 t Igl netd confPrhleoeE9ral31nEwtet I Version 11.0.46 66 ID.PRELOADbuffe vIbw 3 -------------------------jjJ unioc kernel doJjrkO expbt Linux Kernel Ext4 M os-eExtents ICCTL Prlvlege EscjMot Explait 3 ( ]g N etw o rk A ttack a n d P e n etr a tio n unux kernel rrremoo-urmap exploit Linux Kernel RD5 PtoUkoI P1l-leoeEfic4l<tnn Ewb't THs 01.1 itomCc4lv siects xl l*jxhs atUdv. 1 ..-v * . w i q r * 1vvaP M V <r vlw tnw< WT/KHvierk R P T -K: icartY icrngoac:
t i
( 7 4 { 2 0 . . . 3 / 2 * 1 2 0 . . . * M X . . .
su Sto Phi.. Fhl.. Phi.. Fhl.. FW .. FHI.. 510.. Fhi.. Fhi.. Fhi..
|Sm |R D ôc. Iv 1iot. ) 40c. l ho t l 1 0 l
n o hia
(Jo
3 , . , . ,
r FUrr modiies by target r SiswmacUvUoj t U . rjIWT fBMOdJw
TTfc o).k *w veu AJtonuQulv selectandliuxhr It (U.li tMMJ 0r scfvcuOv acqurvdinfct mston The Attach 1dPprpbabortMrp utiixri yevtxriy aeittrtO *about the netw ork (to nitanoc, bynnnn; 1 t*> !nfanubon Stf*rrg ttap) to *utotnaQuly *elect 1 dI*u1 d1nut jtU Ji fa w J 1 Uioethost tfis razord leajies tie folowiw nfontt0 0 n fol fib c*r fuw |
7 7 8 7 9
o F
1fid P fh f) ),
FIGURE 12.37: CORE Impact* Pro Screenshot
Module 12 Page 1714
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Web Server Pen Testing Tool: Immunity CANVAS
Copyright by EC-CWHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
W x
e b
S e r v e r
P e n
T e s t i n g
T o o l :
I m
u n i t y
C A N V A S
S o u rce : h ttp ://w w w .im m u n ity s e c .c o m is an a u to m a te d fo r e x p lo ita tio n s e c u rity s y s te m , and and a c o m p re h e n s iv e , te s te rs . re lia b le It a llo w s e x p lo it a pen
CANVAS
d e v e lo p m e n t
fra m e w o rk
p ro fe s s io n a ls
p e n e tra tio n
t e s t e r t o d i s c o v e r a ll p o s s ib le s e c u r i t y v u l n e r a b i l i t i e s o n t h e w e b s e r v e r .
Immunity CANVAS Vr: 0.47 | Cuir
11 S *ttlo n : ilvlciutl
O 55 V j i ! MOV Slop Fiploc OS Cor#g Modies S ti'th DicHpUBn ls*r 0An*d Nv Monthly I
Cur#r* Calfcack
>D 9 S >'co i
> fWcon
CAW AS t>pc Post E ipM Control Commands Nodas
f a *
Dn<al of Sarvce Modules MscTooa Recon ,fools OWAS 5* * Ftcrs >4
< rpott*ô t Cro*s o l r!trfac Post 9 Mod<i
Current Status C an v atlo q nebuq 1 oq OataVtaw Status Action Start T o k End Tun* information
Sal ( o M ttr iM t:
FIGURE 12.38: Immunity CANVAS Screenshot
Module 12 Page 1715
W eb S e rv e r P en T e s tin g
CEH
Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a web server The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities
Verification of Vulnerabilities To exploit the vulnerability in order to test and fix the issue
W h y W e b s e rv e r Remediation of Vulnerabilities To retest the solution against vulnerability to ensure that it is completely secure Pen T e s tin g ? Identification of Web Infrastructure To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities
W v , v ,
e b
S e r v e r
P e n
T e s t i n g id e n tify , a n a ly z e , a n d r e p o r t v u ln e ra b ilitie s
W eb
s e rv e r p e n te s tin g w ill h e lp y o u t o
s u c h as a u th e n t ic a t io n w e a k n e s s e s , c o n fig u r a tio n e rr o r s , p r o t o c o l- r e la t e d v u ln e r a b ilitie s , e tc . in a w e b s e rv e r. T o p e rfo rm p e n e tra tio n te s tin g , y o u need to c o n d u c t a s e rie s o f m e th o d ic a l
a n d r e p e a t a b l e t e s t s , a n d t o w o r k t h r o u g h a ll o f t h e d i f f e r e n t a p p l i c a t i o n v u l n e r a b i l i t i e s .
h y
W e b
S e r v e r
P e n
T e s tin g ?
W e b s e r v e r p e n t e s t i n g is u s e f u l f o r :
Id e n tific a tio n o f W e b In fra s tru c tu re : T o id e n t if y m a k e , v e r s io n , a n d u p d a t e le v e ls o f

web s e rve rs; th is h e lp s in s e le c tin g e x p lo its to te s t fo r a s s o c ia te d p u b lis h e d
v u ln e ra b ilitie s .
V e r i f i c a t i o n o f V u l n e r a b i l it ie s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
is s u e .
R e m e d ia tio n o f V u ln e r a b ilitie s : T o r e t e s t t h e s o lu t io n a g a in s t v u ln e r a b ilit y t o e n s u r e

t h a t i t is c o m p l e t e l y s e c u r e .
Module 12 Page 1716
Web Server Penetration Testing

START
C EH
W e b s e rv e r p e n e tr a tio n te s tin g s ta rts w it h c o lle c tin g as m u c h in f o r m a t io n as p o s s ib le a b o u t a n o rg a n iz a tio n ra n g in g fro m its p h ysica l lo c a tio n t o o p e ra tin g e n v ir o n m e n t U se s o c ia l e n g in e e rin g te c h n iq u e s t o c o lle c t
U
Search open sources for inform ation about the target : Perform social engineering
Internet, newsgroups, bulletin boards, etc.
in fo r m a tio n su ch as h u m a n re so u rce s, c o n ta c t d e ta ils , e tc . t h a t m a y h e lp in W e b s e rv e r a u th e n t ic a t io n te s tin g U se W h o is d a ta b a s e q u e ry t o o ls t o g e t th e d e ta ils a b o u t th e ta r g e t su ch as d o m a in
Social networking, dumpster diving
n a m e , IP a d d re ss, a d m in is tr a tiv e c o n ta c ts , A u to n o m o u s S yste m N u m b e r, DNS, e tc . N o te : R e fer M o d u le 0 2: F o o tp rin tin g a n d R e con n aissan ce f o r m o re in fo r m a tio n g a th e rin g te c h n iq u e s
Query the Whois databases
Whois, Traceroute, Active Whois, etc.

. u 1 1
V
Document all inform ation about the target J 1
e b
S e r v e r
P e n e t r a t i o n
T e s t i n g
W e b s e r v e r p e n e t r a t i o n t e s t i n g s t a r t s w i t h c o l l e c t i n g as m u c h i n f o r m a t i o n as p o s s i b l e a b o u t an o rg a n iz a tio n , ra n g in g f r o m its p h y s ic a l lo c a tio n to o p e ra tin g e n v iro n m e n t. The
f o l l o w i n g a r e t h e s e r ie s o f s t e p s c o n d u c t e d b y t h e p e n t e s t e r t o p e n e t r a t e w e b s e r v e r : S t e p 1: S e a r c h o p e n s o u r c e s f o r i n f o r m a t i o n a b o u t t h e t a r g e t T r y t o c o l l e c t as m u c h i n f o r m a t i o n as p o s s i b l e a b o u t t a r g e t o r g a n i z a t i o n w e b s e r v e r r a n g i n g f r o m its p h y s i c a l l o c a t i o n t o o p e r a t i n g e n v i r o n m e n t . Y o u c a n o b t a i n s u c h i n f o r m a t i o n f r o m t h e I n t e r n e t , n e w s g r o u p s , b u l l e t i n b o a r d s , e tc . S t e p 2 : P e r f o r m S o c ia l e n g i n e e r i n g P e r f o r m s o c ia l e n g i n e e r i n g t e c h n i q u e s t o c o l l e c t i n f o r m a t i o n s u c h as h u m a n r e s o u r c e s , c o n t a c t d e t a i l s , e t c . t h a t m a y h e l p in w e b s e r v e r a u t h e n t i c a t i o n t e s t i n g . Y o u c a n a ls o p e r f o r m s o c ia l e n g i n e e r i n g t h r o u g h s o c ia l n e t w o r k i n g s ite s o r d u m p s t e r d r i v i n g . S te p 3: Q u e r y t h e W h o is d a ta b a s e s Y o u c a n u s e W h o i s d a t a b a s e q u e r y t o o l s s u c h as W h o i s , T r a c e r o u t e , A c t i v e W h o i s , e t c . t o g e t d e t a i l s a b o u t t h e t a r g e t s u c h as d o m a i n n a m e , IP a d d r e s s , a d m i n i s t r a t i v e c o n t a c t s , A u t o n o m o u s S y s t e m N u m b e r , D NS, e tc . S te p 4: D o c u m e n t a ll i n f o r m a t i o n a b o u t t h e t a r g e t
Module 12 Page 1717
Y o u s h o u l d d o c u m e n t a ll t h e i n f o r m a t i o n o b t a i n e d f r o m t h e v a r i o u s s o u r c e s .
N o te :
R e fe r
M o d u le
02
F o o tp rin tin g
and
R e c o n n a is s a n c e
fo r
m o re
in fo rm a tio n
about
in fo rm a tio n -g a th e rin g te c h n iq u e s .
Module 12 Page 1718

( C o n t'd )
(E H
(rtifwd | tth 4 l IlMlwt
F in g e rp rin t w e b s e rv e r t o g a th e r in fo r m a tio n
Fingerprint w eb serv er
Use tools such as httprecon, ID Serve
su ch as s e rv e r n a m e , s e rv e r ty p e , o p e ra tin g s yste m s, a p p lic a tio n s ru n n in g , e tc . u sin g to o ls su ch as ID S e rve , h ttp r e c o n , a n d N e tc ra ft
t Crawl w eb site Use tools such as httprint, Metagoofil

C ra w l w e b s ite t o g a th e r s p e c ific ty p e s o f in fo r m a tio n fro m w e b p a g es, su ch as e m a il a d d re sse s
1 E n u m erate w eb d irectories > Use tools such as DirBuster

E n u m e ra te W e b s erv er d ir e c to r ie s t o e x tr a c t im p o r ta n t in fo r m a tio n su ch as w e b fu n c tio n a litie s , lo g in fo r m s e tc.
Perform directory traversal attack
Use automated tools such as DirBuster
P e rfo rm d ir e c to r y tra v e r s a l a tta c k t o access re s tric te d d ire c to rie s a n d e x e c u te c o m m a n d s o u ts id e o f t h e w e b s e rv e r's ro o t d ire c to ry
ijp p )
e b
S e r v e r
T e s t i n g
( C
o n t d )
S t e p 5: F i n g e r p r i n t t h e w e b s e r v e r
P e r f o r m f i n g e r p r i n t i n g o n t h e w e b s e r v e r t o g a t h e r i n f o r m a t i o n s u c h as s e r v e r n a m e , s e r v e r t y p e , o p e r a t i n g s y s t e m s , a p p l i c a t i o n s r u n n i n g , e t c . u s i n g t o o l s s u c h as ID S e r v e , h t t p r e c o n , a n d N e tc ra ft. S te p 6: P e r f o r m w e b s it e c r a w lin g P e rfo rm w e b s ite c ra w lin g to g a th e r s p e c ific in fo rm a tio n fro m web pages, such as e m a i l
a d d r e s s e s . Y o u c a n u s e t o o l s s u c h as h t t p r i n t a n d M e t a g o o f i l t o c r a w l t h e w e b s i t e . S te p 7: E n u m e ra te w e b d ir e c to r ie s E n u m e ra te web server d ire c to rie s to e x tra c t im p o rta n t in fo rm a tio n such as web
f u n c t i o n a l i t i e s , l o g i n f o r m s , e t c . Y o u c a n d o t h i s b y u s i n g t o o l s u c h as D i r B u s t e r . S te p 8: P e r fo r m a d ir e c to r y tr a v e rs a l a tta c k P e rfo r m a d i r e c t o r y tr a v e r s a l a tt a c k t o access re s tric te d d ire c to r ie s a n d e x e c u te c o m m a n d s o u t s i d e o f t h e w e b s e r v e r 's r o o t d i r e c t o r y . Y o u c a n d o t h i s b y u s i n g a u t o m a t e d t o o l s s u c h as D irB u s te r.
Module 12 Page 1719

( C o n t d )
(E H
(rtifwd | tth4l IlMlwt
Examine configuration files
HTTP response hijacking
Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploited Perform HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header Perform web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in cache Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access Perform session hijacking to capture valid session cookies and IDs. Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
__ y Perform vulnerability a sse ssm e n t
V Crack w eb server authentication
Perform HTTP re sp o n se splitting : Bruteforce SSH, FTP, and oth er services
S' W eb cache poisoning attack
it
Perform session hijacking
e b
S e r v e r
T e s t i n g
( C
o n t d )
S te p 9: P e r f o r m v u l n e r a b i l i t y s c a n n in g P e rfo rm v u ln e r a b ility s ca n n in g t o i d e n t i f y w e a k n e s s e s in a n e t w o r k u s i n g t o o l s s u c h as HP
W e b ln s p e c t , N essus, e tc . a n d d e t e r m in e if t h e s y s te m can be e x p lo ite d . S te p 10: P e r fo r m a n HTTP r e s p o n s e s p lit t in g a tt a c k P e r f o r m a n H TTP r e s p o n s e s p l i t t i n g a t t a c k t o p a ss m a l i c i o u s d a t a t o a v u l n e r a b l e a p p l i c a t i o n t h a t i n c l u d e s t h e d a t a in a n HTTP r e s p o n s e h e a d e r . S te p 11: P e r fo r m a w e b ca ch e p o is o n in g a tta c k P e r f o r m a w e b c a c h e p o i s o n i n g a t t a c k t o f o r c e t h e w e b s e r v e r ' s c a c h e t o f l u s h its a c t u a l c a c h e c o n t e n t a n d s e n d a s p e c i a l l y c r a f t e d r e q u e s t , w h i c h w i l l b e s t o r e d in t h e c a c h e . S te p 12: B r u te fo r c e lo g in c r e d e n t ia ls B r u t e f o r c e SSH, FTP, a n d o t h e r s e r v i c e s l o g i n c r e d e n t i a l s t o g a i n u n a u t h o r i z e d a c c e ss . S te p 13: P e r fo r m s e s s io n h ija c k in g P e r f o r m s e s s io n h i j a c k i n g t o c a p t u r e v a l i d s e s s io n c o o k i e s a n d IDs. Y o u c a n u s e t o o l s s u c h as B u r p S u it e , H a m s t e r , F i r e s h e e p , e t c . t o a u t o m a t e s e s s io n h i j a c k i n g .
Module 12 Page 1720
Webserver Penetration Testing

( C o n t d ) v
S
CEH
UrtifW4
ttkKJi lUilwt
Perform MITM attack
Perform M ITM attack to access sensitive information by intercepting and altering communications between an enduser and webservers
Perform w eb application pen testin g

V __________
Note: Refer Module 13: Hacking Web Applications for more information on how to conduct web application pen testing
Examine
W e b s e rv e r logs
Use tools such as Webalizer, AWStats, Ktmatu Relax, etc. to examine web sever logs
Exploit fram ew o rk s
Use to o ls su ch as A c u n e tix , M e t a s p lo it , w 3 a f, e tc . t o e x p lo it fra m e w o r k s
Copyright by EG-t0ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
e b
S e r v e r
T e s t i n g
( C
o n t d )
S te p 14: P e r fo r m a M I T M a tta c k
P e rfo rm a M IT M a tta c k to access s e n s itiv e in fo rm a tio n by in te rc e p tin g and a lte rin g
c o m m u n ic a tio n s b e tw e e n an e n d u s e r a n d w e b s e rv e rs .
S te p 15: P e r fo r m w e b a p p lic a tio n p e n te s tin g

P e rfo rm web a p p lic a tio n pen te s tin g to d e te rm in e w h e th e r a p p lic a tio n s a re p ro n e to
v u ln e r a b ilitie s . A t t a c k e r s c a n c o m p r o m is e a w e b s e rv e r e v e n w it h t h e h e lp o f a v u ln e r a b le w e b a p p lic a tio n .
S te p 16: E x a m in e w e b s e r v e r logs
E x a m in e th e s e rv e r lo g s fo r s u s p ic io u s a c tiv itie s . You can do th is by u s in g to o ls such as
W e b a l i z e r , A W S t a t s , K t m a t u R e la x , e tc .
S te p 17: E x p lo it f r a m e w o r k s
E x p lo it t h e f r a m e w o r k s u s e d b y t h e w e b s e r v e r u s in g t o o ls s u c h as A c u n e tix , M e t a s p lo it , w 3 a f, e tc .
S te p 18: D o c u m e n t a ll t h e fin d i n g s
S u m m a r i z e a ll t h e t e s t s c o n d u c t e d s o f a r a l o n g w i t h t h e f i n d i n g s f o r f u r t h e r a n a ly s is . S u b m i t a c o p y o f th e p e n e tra tio n te s t re p o rt to th e a u th o riz e d p e rs o n .
Module 12 Page 1721
M o d u le S u m m a r y
CEH
W eb servers assum e critical im portance in th e realm of Internet security Vulnerabilities exist in different releases of popular w ebservers and respective vendors patch th e s e often The inherent security risks owing to th e com prom ised w ebservers have im pact on th e local area netw orks th a t host th e se w ebsites, even on th e norm al users of w eb brow sers Looking through th e long list of vulnerabilities th a t had been discovered and patched over th e past few years, it provides an attacker am ple scope to plan attacks to unpatched servers Different tools/exploit codes aid an attacker in p erp etratin g w eb serv er's hacking C ounterm easures include scanning for th e existing vulnerabilities and patching them im mediately, anonym ous access restriction, incoming traffic req u est screening, and filtering
= V ' y M o d u l e S u m m a r y
W e b s e r v e r s a s s u m e c r it ic a l i m p o r t a n c e in t h e r e a l m o f I n t e r n e t s e c u r i t y . V u l n e r a b i l i t i e s e x is t in d i f f e r e n t r e l e a s e s o f p o p u l a r w e b s e r v e r s a n d r e s p e c t i v e v e n d o r s p a tc h th e s e o fte n .
T h e i n h e r e n t s e c u r i t y ris k s o w i n g t o t h e c o m p r o m i s e d w e b s e r v e r s i m p a c t t h e lo c a l a r e a n e tw o r k s t h a t h o s t th e s e w e b s ite s , e v e n o n th e n o rm a l u s e rs o f w e b b ro w s e rs .
L o o k in g t h r o u g h t h e lo n g lis t o f v u ln e r a b ilit ie s t h a t h a d b e e n d is c o v e r e d a n d p a t c h e d o v e r t h e p a s t f e w y e a rs , it p ro v id e s a n a tta c k e r a m p le s c o p e t o p la n a tta c k s t o u n p a tc h e d se rve rs.
D i f f e r e n t t o o l s / e x p l o i t c o d e s a id a n a t t a c k e r in p e r p e t r a t i n g w e b s e r v e r ' s h a c k in g . C o u n te r m e a s u r e s in c lu d e s c a n n in g f o r th e e x is tin g v u ln e r a b ilitie s a n d p a tc h in g th e m im m e d ia te ly , a n o n y m o u s a cce ss r e s tr ic tio n , in c o m in g tr a ffic r e q u e s t s c re e n in g , a n d filte rin g .
Module 12 Page 1722

CEHv8 Module 12 Hacking Webservers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 12 Hacking Webservers

Uploaded by

Copyright:

Available Formats

H a c k in g W e b s e r v e r s

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

Engineered by Hackers. Presented by Professionals.

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

G o D a d d y O u ta g e T a k e s D o w n M illio n s o f S ite s , A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

A n o n y m o u s O w n 3 r has tw e e te d " I ' m n o t a n ti g o d a d d y , y o u g u ys w i ll u n d e r s t a n d b e c a u s e i d id t h is a t t a c k . "

Copyright 2012 AOL Inc. By Klint Finley http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

J Why Web Servers are Compromised? J Impact of Webserver Attacks

J Web Password Cracking Tools

C o p y rig h t b y IG -C O H C il. A ll R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

q u a n t i f i a b l e loss. T his m a k e s w e b s e r v e r s e c u r it y c r it ic a l t o t h e n o r m a l f u n c t i o n i n g o f an o r g a n iz a tio n . M ost o rg a n iz a tio n s c o n s id e r th e ir web p re sence to be an e x te n s io n of

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2-50 C ertified Ethical H acker

W ebserver M a rke t Shares

LiteSpeed I Google Server |

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

Lighttpd J --------- 80%

FIGURE 12.1: Web Server Market Shares

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

Open Source Webserver Architecture

Linux 1 File System ^

C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

PHP f Compiled Extension M yS Q L y

FIGURE 12.2: Open Source Web Server Architecture

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

IIS Web Server Architecture

Kernel M ode User M ode :

C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

IIS Web Server Architecture

IIS, also k n o w n as In te rn e t In fo rm a tio n Service, is a w e b server a p p lic a tio n d e ve lo p e d

M ic ro s o ft th a t can be used w ith M ic ro s o ft W in d o w s . This is th e second largest w e b a fte r

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2-50 C ertified Ethical H acker

Client HTTP Protocol Stack (HTTP.SYSI

A p p lica tio n Pool

Web Server Core

FIGURE 12.3: IIS Web Server Architecture

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2-50 C ertified Ethical H acker

C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

World Wide Web

FIGURE 12.4: W ebsite D efacement

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker

C o p y rig h t b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

Why Web Servers Are Compromised

Ethical Hacking a n d C o u n te rm e a s u re s H acking W e b s e rv e rs

Exam 3 1 2 -5 0 C ertified Ethical H acker