CEHv8 Module 12 Hacking Webservers PDF

H a c k in g W e b s e r v e r s
M o d u le 12
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
H a c k in g W ebservers
M o d u le 12
Engineered by Hackers. Presented by Professionals.
E th ic a l H a c k in g a n d C o u n te rm e a s u re s v 8
M o d u le 1 2 : H a c k in g W e b s e r v e r s
E xam 3 1 2 -5 0
M o d u le 12 P ag e 1601 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G o D a d d y O u ta g e T a k e s D o w n M illio n s o f S ite s ,
A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility
M o n d a y , S e p te m b e r 1 0 th , 2 0 1 2
Final update: GoDaddy is up, and claims that the outage was due to internal errors
and not a DDoS attack.
According to many customers, sites hosted by major web host and domain registrar
GoDaddy are down. According to the official GoDaddy Twitter account the company is
aware of the issue and is working to resolve it.
Update: customers are complaining that GoDaddy hosted e-mail accounts are down as
well, along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming
responsibility, and makes it clear this is not an Anonymous collective action.
A tipster tells us that the technical reason for the failure is being caused bythe
inaccessibility of GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
h t tp : //te c h c r u n c h .c o m
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
S e c u r ity N e w s
Nnus
G o D a d d y O u ta g e T a k e s D o w n M illio n s o f S ite s ,
A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility
S o u rc e : h t t p : / / t e c h c r u n c h . c o m
F ina l u p d a t e : G o D a d d y is u p, a nd c la im s t h a t t h e o u t a g e w a s d u e t o i n t e r n a l e r r o r s a n d n o t a
DDoS a tta c k .
A c c o r d i n g t o m a n y c u s t o m e r s , sites h o s te d by m a j o r w e b h o s t a n d d o m a i n r e g is t r a r G o D a d d y
a re d o w n . A c c o r d i n g t o t h e o f f i c i a l G o D a d d y T w i t t e r a c c o u n t , t h e c o m p a n y is a w a r e o f t h e
iss u e a n d is w o r k i n g t o r e s o lv e it.
U p d a t e : C u s t o m e r s are c o m p la i n i n g t h a t G o D a d d y h o s te d e - m a il a c c o u n ts a re d o w n as w e ll,
a lo n g w i t h G o D a d d y p h o n e s e rv ic e a n d all sites u s in g G o D a d d y 's DNS se rvice.
U p d a t e 2: A m e m b e r o f A n o n y m o u s k n o w n as A n o n y m o u s O w n 3 r is c l a i m in g r e s p o n s ib ilit y , a nd
m a k e s it c le a r th is is n o t an A n o n y m o u s c o lle c tiv e a c tio n .
A t i p s t e r te lls us t h a t t h e t e c h n ic a l r e a s o n f o r t h e fa i lu r e is b e in g c a u s e d by t h e in a c c e s s ib ility o f
G o D a d d y 's DNS s e rv e rs - s p e c ific a lly CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
a n d CNS3.SECURESERVER.NET a re fa i li n g t o re s o lv e .

A n o n y m o u s O w n 3 r ‫ ׳‬s b io re a d s " S e c u r i t y l e a d e r o f # A n o n y m o u s (‫ ”׳‬O f f ic i a l m e m b e r " ) . " T h e

i n d i v id u a l c la im s t o be fr o m Brazil, a n d h a s n 't issued a s t a t e m e n t as t o w h y G o D a d d y w a s
ta rg e te d .
Last y e a r GoDaddy was pressured into opposing SOPA as c u s t o m e r s t r a n s f e r r e d d o m a i n s o f f t h e

se rv ic e , and th e com pany has been th e ce nte r of a fe w o th e r controversies. H ow ever,
A n o n y m o u s O w n 3 r has tw e e te d " I ' m n o t a n ti g o d a d d y , y o u g u ys w i ll u n d e r s t a n d b e c a u s e i d id
t h is a t t a c k . "
Copyright © 2012 AOL Inc.
By Klint Finley
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/

M o d u le O b jec tiv es C EH
Urt1fW4 tt*H4i Nath*
J IIS Webserver Architecture J Countermeasures
J Why Web Servers are Compromised? J How to Defend Against Web Server
Attacks
J Impact of Webserver Attacks
J Webserver Attacks J Patch Management
J Webserver Attack Methodology ‫־־‬L / ^ J Patch Management Tools
J Webserver Attack Tools J Webserver Security Tools
J Metasploit Architecture J Webserver Pen Testing Tools
J Web Password Cracking Tools J Webserver Pen Testing
C o p y rig h t © b y IG -C O H C il. A ll R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
^ M o d u le O b je c tiv e s
• — *> O ft e n , a b re a c h in s e c u r it y causes m o r e d a m a g e in t e r m s o f g o o d w i l l t h a n in a c tu a l
q u a n t i f i a b l e loss. T his m a k e s w e b s e r v e r s e c u r it y c r it ic a l t o t h e n o r m a l f u n c t i o n i n g o f an
o r g a n iz a tio n . M ost o rg a n iz a tio n s c o n s id e r th e ir web p re sence to be an e x te n s io n of
t h e m s e l v e s . This m o d u l e a t t e m p t s t o h ig h l i g h t t h e v a r io u s s e c u r it y c o n c e r n s in t h e c o n t e x t o f
w e b s e r v e r s . A f t e r f i n is h i n g t h is m o d u l e , y o u w i ll a b le t o u n d e r s t a n d a w e b s e r v e r a n d its
a r c h it e c t u r e , h o w t h e a t t a c k e r hacks it, w h a t t h e d i f f e r e n t ty p e s a tta c k s t h a t a t t a c k e r can c a rr y
o u t o n t h e w e b s e rv e rs a re , t o o l s u sed in w e b s e rv e r h a c k in g , e tc . E x p lo r in g w e b s e r v e r s e c u r it y
is a v a s t d o m a i n a n d t o d e lv e i n t o t h e f i n e r d e ta ils o f t h e d is c u s s io n is b e y o n d t h e s c o p e o f th is
m o d u l e . T his m o d u l e m a k e s y o u f a m i l i a r i z e w i t h :
e IIS W e b Server A r c h ite c tu re e C o u n te rm e a su re s
e W h y W e b Servers A re C o m p r o m is e d ? e H o w t o D e fe n d A g a in s t W e b
S e r v e r A t ta c k s
e Im p a c t o f W e b s e r v e r A tta cks
e Patch M a n a g e m e n t
e W e b s e r v e r A ttacks
0 Patch M a n a g e m e n t T o o ls
e W e b s e r v e r A tta c k M e t h o d o lo g y
e W e b s e r v e r S e c u r ity T o o ls
Q W e b s e r v e r A tta c k Tools
e W e b s e r v e r Pen T e s tin g T o o ls
e M e ta s p lo it A r c h ite c tu re
e W e b Passw ord Cracking Tools e W e b s e r v e r Pen T e s tin g

M o d u le Flow CEH
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
M o d u le F lo w
T o u n d e r s t a n d h a c k in g w e b se rv e rs , f i r s t y o u s h o u ld k n o w w h a t a w e b s e r v e r is, h o w
it f u n c t io n s , a nd w h a t a re t h e o t h e r e le m e n t s a s s o c ia te d w i t h it. All th e s e a re s i m p l y t e r m e d
w e b s e r v e r c o n c e p ts . So f i r s t w e w i ll discuss a b o u t w e b s e r v e r c o n c e p ts .
4 m )
W e b s e rv e r Concepts W e b s e rv e r Attacks
-------------------
A tta c k M e th o d o lo g y * W e b s e rv e r A tta c k Tools
W e b s e rv e r Pen Testing W e b s e rv e r Security Tools
y Patch M a n a g e m e n t ■ —
C ou nter-m easures
■ —
This s e c tio n g ive s y o u b r i e f o v e r v i e w o f t h e w e b s e r v e r a n d its a r c h it e c t u r e . It w i ll also e x p la in

c o m m o n re a s o n s o r m is t a k e s m a d e t h a t e n c o u r a g e a t ta c k e r s t o h a c k a w e b s e r v e r a n d b e c o m e
su cc e ssfu l in t h a t . T his s e c tio n also d e s c r ib e s t h e i m p a c t o f a tta c k s o n t h e w e b s e rv e r.

Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2-50 C ertified Ethical H acker
W ebserver M a rke t Shares
I_____________ I_____________ I_____________ I_____________ I_____________ I
Apache 64.6%
Microsoft - IIS
LiteSpeed I 1.7%
Google Server | 1.2%
W e b S e rv e r M a r k e t S h a re s
S o u rc e : h t t p : / / w 3 t e c h s . c o m
T h e f o l l o w i n g s ta tis tic s s h o w s t h e p e r c e n ta g e s o f w e b s i t e s u sin g v a r io u s w e b s e rv e rs . F ro m t h e

s ta tis tic s , it is c le a r t h a t A p a c h e is t h e m o s t c o m m o n l y u s e d w e b s e r v e r , i.e., 6 4 .6 % . B e l o w t h a t
M i c r o s o f t ‫ ־‬IIS s e r v e r is u s e d b y 1 7 .4 % o f u sers.

Apache t ‫כ‬
6 4 .6 %
Microsoft ‫ ־‬IIS 17.4%
Nginx 13 %
LiteSpeed
Google Server
Tomcat
Lighttpd
‫ ־‬J --------- ►
10 20 30 40 50 60 70 80%
FIGURE 12.1: Web Server Market Shares

Open Source Webserver CEH

Architecture
Site Users Site Admin Attacks
r I ©
:11 a □
Linux
1 I— *‫—־‬ I
File System ........ Apache Email
^ ‫מ‬ ‫י ג יני‬
PHP
Applications MySQL i f
‫י‬ C o m p ile d E x te n s io n
O p e n S o u rc e W e b S e rv e r A r c h ite c tu r e
H
T h e d ia g r a m b e l l o w i llu s tr a te s t h e basic c o m p o n e n t s o f o p e n s o u r c e w e b s e rv e r
a r c h it e c t u r e .

Site Users Site A d m in A ttacks
& * A ‫־׳‬
1 U
Internet
Linux
File System
J F M
V A p ach e Email
PHP
"‫־‬ f
A p p lic a tio n s M yS Q L y
Compiled Extension
FIGURE 12.2: Open Source Web Server Architecture
W h e re ,
© L in u x - t h e s e rv e r's o p e r a t i n g s y s te m
© A p a c h e - t h e w e b s e rv e r c o m p o n e n t
© M y S Q L - a r e l a t io n a l d a ta b a s e
© PHP - t h e a p p li c a t i o n la y e r

IIS Web Server Architecture CEH
In te rn e t In fo rm a tio n
Client Services (IIS) fo r W indow s
Server is a flexible , secure,
HTTP Protocol and easy-to-m anage w eb
i * a f t p Stack (HTTP.SYS) server fo r hosting anything
on th e w eb
Kernel M ode
User M ode :■
Svchost.exe + Application Pool
W in d o w s A c tiv a tio n Service

__________ (W AS)___________
W eb Server Core N ative M odules AppDomain
W W W S e r v ic e
B egin re q u e s t proce ssin g , A nonym ous M anaged
a u th e n tic a tio n , a u th e n tic a tio n ,
M o d u le s
a u th o riz a tio n , cache m a n a g e d e n g in e , IIS
re s o lu tio n , h a n d le r c e r tific a te m a p p in g ,
External Apps
m a p p in g , h a n d le r p re - s ta tic file , d e fa u lt F o rm s
e x e c u tio n , rele a se sta te , d o c u m e n t, HTTP c a ch e ,
A u th e n tic a tio n
u p d a te cache, u p d a te
a p p l ic a t io n HTTP e r r o r s , a n d HTTP
lo g , a n d e n d re q u e s t
lo g g in g
H o s t . c o n f ig p ro ce ssin g
IIS Web Server Architecture

‫׳‬3 ------------ ---------------------------------------------------------------------------------
c 3 IIS, also k n o w n as In te rn e t In fo rm a tio n Service, is a w e b server a p p lic a tio n d e ve lo p e d
by M ic ro s o ft th a t can be used w ith M ic ro s o ft W in d o w s . This is th e second largest w e b a fte r
A pache HTTP server. IT o ccupies a ro u n d 17.4% o f th e to ta l m a rk e t share. It s u p p o rts HTTP,
HTTPS, FTP, FTPS, SMTP, and NNTP.
The dia g ra m th a t fo llo w s illu s tra te s th e basic c o m p o n e n ts o f IIS w e b se rve r a rc h ite c tu re :

Client
HTTP Protocol
Internet Stack (HTTP.SYSI
Kernel M ode
User Mode
Svchost.exe A p p lica tio n Pool
W in d o w s A c tiv a tio n S e rv ic e
(W A S )
Web Server Core Native M odules AppD om ain
WWW Service
B e g in r e q u e s tp r o c e s s in g / Anonym ous Managed
a u t h e n t ic a t io n , a u t h e n t ic a t io n ,
Modules
a u t h o r iz a t io n , c a c h e M a n a g e d e n g in e , IIS
r e s o lu tio n , h a n d le r c e r t if ic a t e m a p p in g ,
m a p p in g , h a n d le r p re * s ta t ic file , d e f a u lt Forms
e x e c u tio n , r e le a s e s ta te , d o c u m e n t , H TTP c a c h e ,
u p d a te c a c h e , u p d a te
Authentication
application H T T P e r r o r s , a n d H TTP
lo g , a n d e n d re q u e s t
lo g g in g
Host.config p r o c e s s in g
FIGURE 12.3: IIS Web Server Architecture

All Rights R eserved, R ep ro d u ctio n is Strictly P ro h ib ite d .
Website Defacement CEH
Fie Ml‫ז‬ few Hep

J W eb defacem ent occurs when
an intruder m aliciously alters * * W © h t t p : / / ju g g y b o y . c o m / in d e x . a s p x v ‫ד‬ ^ •j_> ‫־‬ f f
visual appearance o f a w eb
page by inserting or
sub stituting provocative and
fre que ntly offending data Y o u a re O W N E D !!!!!!!
J Defaced pages exposes visitors
to som e propaganda or
misleading info rm atio n until HACKED!
the unauthorized change is
discovered and corrected
Hi Master, Your website owned
by US, Hacker!
Next target - microsoft.com
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .
Website Defacement
W e b s ite d e fa c e m e n t is a process o f changin g th e c o n te n t o f a w e b s ite o r w e b page
by hacke rs. H ackers b rea k in to th e w e b servers and w ill a lte r th e hosted w e b s ite by cre a tin g
s o m e th in g new .
W e b d e fa c e m e n t occurs w h e n an in tru d e r m a lic io u s ly a lte rs th e visual appe a ra n ce o f a w e b

page by in s e rtin g o r s u b s titu tin g p ro v o c a tiv e and fre q u e n tly o ffe n s iv e data. Defaced pages
expose v is ito rs to p ro p a g a n d a o r m isle a d in g in fo rm a tio n u n til th e u n a u th o riz e d change is
d isco ve re d and c o rre c te d .

World Wide Web B O ®

File Edit V iew Help
,‫יי‬
FIGURE 12.4: W ebsite D efacement

U n n e c e s s a ry d e fa u lt, b a c k u p , o r I n s t a ll in g t h e s e r v e r w i t h d e f a u l t
s a m p le f il e s s e t t in g s
S e c u r it y c o n f li c t s w i t h b u s in e s s e a s e - o f - Im p r o p e r f ile a n d
use case d i r e c t o r y p e r m is s io n s
M i s c o n f ig u r a t io n s in w e b s e r v e r , o p e r a t i n g s y s te m s , D e f a u lt a c c o u n t s w i t h t h e i r d e f a u l t o r n o
a n d n e tw o rk s p a s s w o rd s
L a c k o f p r o p e r s e c u r it y p o lic y , p r o c e d u r e s , a n d S e c u r it y f la w s in t h e s e r v e r s o f t w a r e , O S a n d
m a in t e n a n c e a p p li c a t io n s
B u g s in s e r v e r s o f t w a r e , O S , a n d M i s c o n f ig u r e d SSL c e r t if ic a t e s a n d e n c r y p t io n
w e b a p p l ic a t io n s s e t t in g s
Im p r o p e r a u t h e n tic a tio n w it h e x te r n a l U s e o f s e lf - s ig n e d c e r t if ic a t e s a n d
s y s te m s d e f a u l t c e r t if i c a t e s
A d m i n i s t r a t i v e o r d e b u g g in g f u n c t i o n s t h a t a r e U n n e c e s s a r y s e r v ic e s e n a b le d , in c lu d in g c o n t e n t
e n a b le d o r a c c e s s ib le m a n a g e m e n t a n d r e m o te a d m in is tr a tio n
Why Web Servers Are Compromised

T he re are in h e re n t s e c u rity risks associated w ith w e b servers, th e local area n e tw o rk s
th a t h o st w e b sites and users w h o access th e se w e b s ite s using b row sers.
0 W e b m a s te r's C o ncern: From a w e b m a s te r's p e rsp e ctive , th e biggest s e c u rity co n ce rn is

th a t th e w e b s e rv e r can expose th e local area n e tw o rk (LAN) o r th e c o rp o ra te in tra n e t
to th e th re a ts th e In te rn e t poses. This m ay be in th e fo rm o f viruses, Trojans, atta cke rs,
o r th e c o m p ro m is e o f in fo rm a tio n its e lf. S o ftw a re bugs p re s e n t in large co m p le x
p ro g ra m s are o fte n co n sid e re d th e source o f im m in e n t s e c u rity lapses. H o w e ve r, w e b
servers th a t are large c o m p le x devices and also com e w ith th e se in h e re n t risks. In
a d d itio n , th e op en a rc h ite c tu re o f th e w e b servers a llo w s a rb itra ry scripts to run on th e
se rve r side w h ile re p ly in g to th e re m o te requests. A n y CGI s c rip t in sta lle d at th e site
m ay c o n ta in bugs th a t are p o te n tia l s e c u rity holes.
Q N e tw o rk A d m in is tr a to r 's C o n ce rn : From a n e tw o rk a d m in is tra to r's p e rsp e ctive , a

p o o rly c o n fig u re d w e b se rve r poses a n o th e r p o te n tia l hole in th e local n e tw o rk 's
s e c u rity . W h ile th e o b je c tiv e o f a w e b is to p ro v id e c o n tro lle d access to th e n e tw o rk , to o
m uch o f c o n tro l can m ake a w e b a lm o s t im p o ssib le to use. In an in tra n e t e n v iro n m e n t,
th e n e tw o rk a d m in is tra to r has to be ca re fu l a b o u t c o n fig u rin g th e w e b server, so th a t
th e le g itim a te users are recognized and a u th e n tic a te d , and va rio u s g ro u p s o f users
assigned d is tin c t access privile g e s.

6 End U ser's C o n ce rn : U sually, th e end user does n o t pe rce ive any im m e d ia te th re a t, as

s u rfin g th e w e b appe a rs b o th safe and a n o n ym o u s. H o w e ve r, a ctive c o n te n t, such as
A ctiveX c o n tro ls and Java a p p le ts, m ake it possible fo r h a rm fu l a p p lic a tio n s , such as
viruses, to in vad e th e user's system . Besides, a ctive c o n te n t fro m a w e b s ite b ro w s e r can
be a c o n d u it fo r m a licio u s s o ftw a re to bypass th e fire w a ll system and p e rm e a te th e
local area n e tw o rk .
The ta b le th a t fo llo w s show s th e causes and consequ ences o f w e b se rve r co m p ro m ise s:
Cause C onsequence
In s ta llin g th e s e rv e r w it h d e fa u lt U nnecessary d e fa u lt, backup, o r sam ple file s

s e ttin g s
Im p r o p e r file a n d d ir e c to r y p e rm is s io n s S e cu rity c o n flic ts w ith business ease-of-use

case
D e fa u lt a c c o u n ts w it h th e ir d e fa u lt M is c o n fig u ra tio n s in w e b server, o p e ra tin g

p a ssw o rd s system s and n e tw o rk s
U n p a t c h e d s e c u r it y f l a w s in t h e s e r v e r Lack o f p ro p e r s e c u rity policy, p ro ce d u re s,

s o ftw a re , OS, a n d a p p lic a tio n s and m a in te n a n c e
M i s c o n f i g u r e d SSL c e r t i f i c a t e s a n d Bugs in se rve r s o ftw a re , OS, and w e b

e n c r y p tio n s e ttin g s a p p lic a tio n s
U se o f s e lf-s ig n e d c e rtific a te s a n d Im p ro p e r a u th e n tic a tio n w ith e x te rn a l

d e fa u lt c e rtific a te s system s
U n n e c e s s a ry s e rv ic e s e n a b le d , in c lu d in g A d m in is tra tiv e o r de b u g g in g fu n c tio n s th a t

c o n te n t m a n a g e m e n t and re m o te are ena b le d o r accessible
a d m in is tra tio n
TABBLE 12.1: causes and consequences of w eb server com prom ises

Impact of Webserver Attacks CEH

C«rt1fW4 Itil 1(41 Nm Im
©
Data tampering Website defacement
Root access to other

applications or servers
Impact of Web Server Attacks

A tta c k e rs can cause v a rio u s kinds o f dam age to an o rg a n iz a tio n by a tta c k in g a w e b
server. The dam age in clud e s:
© C o m p ro m is e o f u se r a c c o u n ts : W e b se rve r attacks are m o s tly c o n c e n tra te d on user

a c c o u n t c o m p ro m is e . If th e a tta c k e r is able to c o m p ro m is e a user a cco u n t, th e n th e
a tta c k e r can gain a lo t o f useful in fo rm a tio n . A tta c k e r can use th e c o m p ro m is e d user
a c c o u n t to launch fu r th e r a tta cks on th e w e b server.
Q D ata ta m p e rin g : A tta c k e r can a lte r o r d e le te th e data. He o r she can even replace th e
data w ith m a lw a re so th a t w h o e v e r co n n e cts to th e w eb se rve r also becom es
c o m p ro m is e d .
0 W e b s ite d e fa c e m e n t: H ackers c o m p le te ly change th e o u tlo o k o f th e w e b s ite by

re p la c in g th e o rig in a l da ta . T hey change th e w e b s ite lo o k by changing th e visuals and
d isp la y in g d iffe r e n t pages w ith th e messages o f th e ir o w n .
© S e co n d a ry a tta c k s fr o m th e w e b s ite : Once th e a tta c k e r co m p ro m is e s a w e b server, he

o r she can use th e se rve r to launch fu r th e r attacks on va rio u s w e b s ite s o r c lie n t system s.
0 D ata th e ft : Data is one o f th e m ain assets o f th e c o m p a n y. A tta c k e rs can g e t access to

s e n sitive da ta o f th e co m p a n y like source code o f a p a rtic u la r p ro g ra m .
M o d u le 12 Page 1616 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

0 R o o t access to o th e r a p p lic a tio n s o r s e rv e r: R oot access is th e h ig h e st p riv ile g e one gets

to log in to a n e tw o rk , be it a d e d ic a te d server, s e m i-d e d ic a te d , o r v irtu a l p riv a te server.
A tta c k e rs can p e rfo rm any a c tio n once th e y g e t ro o t access to th e source.

M o d u le Flow CEH
Module Flow
C o n sid erin g th a t yo u becam e fa m ilia r w ith th e w e b se rve r concepts, w e m ove fo rw a rd
to th e possible a tta cks on w e b se rve r. Each and e ve ry a ctio n on o n lin e is p e rfo rm e d w ith th e
he lp o f w e b server. Hence, it is c o n s id e re d as th e critic a l source o f an o rg a n iz a tio n . This is th e
sam e reason fo r w h ic h a tta c k e rs are ta rg e tin g w e b server. T here are m a n y a tta c k te c h n iq u e
used by th e a tta c k e r to c o m p ro m is e w e b server. N o w w e w ill discuss a b o u t th o s e a tta c k
te c h n iq u e s .
a tta c k , HTTP response s p littin g a tta ck, w e b cache p o iso n in g a tta ck, h ttp response hijacking,
w e b a p p lic a tio n a tta cks, etc.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
^ A tta c k M e th o d o lo g y ^ W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g J 3 W e b s e r v e r S e c u rity T o o ls
- y P a tch M a n a g e m e n t ■— C o u n te r-m e a s u re s
■—
M o d u le 12 P ag e 1 6 1 8 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Web Server Misconfiguration CEH

Server misconfiguration refers to configuration weaknesses in web infrastructure that can be
exploited to launch various attacks on web servers such as directory traversal, server intrusion,
and data theft
Verbose debug/error Remote Administration

Functions
Anonymous or Default Unnecessary Services

Users/Passwords Enabled
Sample Configuration, Misconfigured/Default

and Script Files SSL Certificates
Web Server Misconfiguration

W eb s e rve rs h a ve v a rio u s v u ln e ra b ilitie s re la te d to c o n f ig u r a t io n , a p p lic a t io n s , file s ,
s c rip ts , or web pages. O nce th e s e v u ln e ra b ilitie s a re fo u n d by th e a tta c k e r, lik e re m o te
a c c e s s in g t h e a p p lic a tio n , th e n th e s e b e c o m e th e d o o rw a y s fo r th e a tta c k e r to e n te r in to th e
n e tw o rk of a com pany. These lo o p h o le s of th e s e rv e r can h e lp a tta c k e rs to bypass user
a u th e n tic a tio n . S e rve r m is c o n fig u ra tio n re fe rs to c o n fig u ra tio n weaknesses in w eb
i n f r a s t r u c t u r e t h a t c a n b e e x p lo it e d t o la u n c h v a r io u s a tta c k s o n w e b s e rv e r s s u c h as d ir e c t o r y
tra v e rs a l, s e rve r in tru s io n , and d a ta th e ft. O nce d e te c te d , th e s e p ro b le m s can be e a s ily
e x p l o i t e d a n d r e s u l t in t h e t o t a l c o m p r o m i s e o f a w e b s i t e .
© R e m o te a d m in is tr a tio n fu n c tio n s ca n be a s o u rc e fo r b re a k in g d o w n th e s e rv e r f o r th e
a tta c k e r.
© S o m e u n n e c e s s a r y s e rv ic e s e n a b le d a re a ls o v u ln e r a b le t o h a c k in g .
0 M i s c o n f i g u r e d / d e f a u l t SSL c e r t i f i c a t e s .
© V e rb o se d e b u g /e rro r m essages.
© A n o n y m o u s o r d e fa u lt u s e rs /p a s s w o rd s .
© S a m p le c o n f ig u r a t io n a n d s c r ip t file s .
M o d u le 1 2 P ag e 1619 C opyright © by EC-C0UnCil

E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
Web Server Misconfiguration

Example CEH
h ttp d .c o n f file on an A pache server
< L o c a tio n / s e r v e r - s t a t u s >

S e tH a n d le r s e r v e r - s t a t u s
< / L o c a t io n >
This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about
the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed
php.ini file
d i s p l a y _ e r r o r = On
l o g _ e r r o r s = On
e r r o r _ lo g = s y s lo g
ig n o r e r e p e a t e d e r r o r s = O ff
This configuration gives verbose error messages
C o p y rig h t © b y E G -G tlin c il. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
f I Web Server Misconfiguration Example

ran n■
L 1 :J C o n s id e r th e h t t p d . c o n f file o n a n A p a c h e s e rv e r.
< L o c a tio n /s e rv e r-s ta tu s >

S e tH a n d le r s e r v e r - s t a t u s
< /L o c a tio n >
FIGURE 12.5: httpd.conf file on an Apache server
T h is c o n fig u ra tio n a llo w s anyone to v ie w th e s e rv e r s ta tu s page th a t c o n ta in s d e ta ile d
in fo rm a tio n a b o u t th e c u r r e n t use o f th e w e b s e rv e r, in c lu d in g in f o r m a t io n a b o u t t h e c u r r e n t
h o s ts a n d r e q u e s ts b e in g p ro c e s s e d .
C o n s id e r a n o t h e r e x a m p le , t h e p h p .in i file .
d is p la y _ e rro r = On
lo g _ e rro rs - On
e rro r_ lo g = s y s lo g
ig n o re re p e a te d e rro rs = O ff
FIGURE 12.6: php.inifile on an Apache server

T h is c o n f ig u r a t i o n g iv e s v e r b o s e e r r o r m e s s a g e s .
M o d u le 1 2 P ag e 1620 C opyright © by EC-C0UnCil

E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
3 j My Computer
Volume in drive C has no label.
+1 £ 3Vb floppy (A:)
Volume Serial Number is D45E-9FEE
/ ‫ י‬Local Disk ((
I B Ctocumcnte and Scttngs
! H t J Inetpub
http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:\
Directory Traversal Attacks

W eb s e rve rs a re d e s ig n e d in such a way th a t th e p u b lic access is l i m i t e d to som e
e x t e n t . D i r e c t o r y t r a v e r s a l is e x p l o i t a t i o n o f HTTP th ro u g h w h ic h a tta c k e r s a re a b le t o a cce ss
re s tric te d d ire c to rie s and e x e c u te com m ands o u ts id e of th e web s e rv e r ro o t d ire c to ry by
m a n ip u la tin g a URL. A tta c k e r s c a n use th e tria l-a n d -e rro r m e th o d to n a v ig a te o u ts id e o f th e
r o o t d i r e c t o r y a n d a c c e s s s e n s it iv e i n f o r m a t i o n in t h e s y s t e m .
V o lu m e in drive C has no label.

V o lu m e Serial N u m b e r is D45E-9FEE
D ire cto ry o f C :\
0 6 /0 2 /2 0 1 0 1 1 :3 1 A M 1,024 .rnd
h ttp ://s e rv e r.e o m /s

0 9 /2 8 /2 0 1 0 06:43 PM
0 5 /2 1 /2 0 1 0 03:10 PM
0 9 /2 7 /2 0 1 0 08:54 PM <DIR>
0 123. te x t
0 AUTOEXEC.BAT
CATALINA_HOME
E Q
-j !v!v!Tffxl
company
c rip ts /..% 5 c ../W in d 0 5 /2 1 /2 0 1 0 03:10 PM 0 CONFIG.SYS 1 ‫ ו‬downloads
0 8 /1 1 /2 0 1 0 09:16 A M <DIR> D ocum ents a n d Settings E O images
0 w s /S y s te m 3 2 /c m 0 9 /2 5 /2 0 1 0 05:25 PM <DIR> D ow nloads O news
0 8 /0 7 /2 0 1 0 03:38 PM <DIR> Intel scripts □
d .e x e ? /c + d ir+ c :\ 0 9 /2 7 /2 0 1 0 09:36 PM <DIR> Program Files CJ support
0 5 /2 6 /2 0 1 0 02:36 A M <DIR> S n o rt
0 9 /2 8 /2 0 1 0 09:50 A M <DIR> W INDOWS
0 9 /2 5 /2 0 1 0 02:03 PM 569,344 W lnD um p.exe
7 File(s) 570, 368 bytes
13 Dir(s) 13,432 ,115,200 byte s free
FIGURE 12.7: D ire c to ry T ra v e rs a l A tta c k s

HTTP Response Splitting Attack CEH

(•rt1fw< itkNjI NmIm
HTTP response splitting attack involves adding

Input = Jason
header response data into the input field so
that the server split the response into two HTTP/1.1 200 OK
responses
Set-Cookie: author=Jason
The attacker can control the first response to
redirect user to a malicious website whereas
the other responses will be discarded by web Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
browser
y F irs t R e s p o n s e (C o n tr o lle d b y A tta c k e r )
S tr in g a u th o r = Set-Cookle: author=JasonTheHacker
r e q u e s t . getParam eter(A U TH O R _PA HTTP/1.1200 OK
RAM) ;
C o o k ie c o o k ie = new
Second R esponse
C o o k ie ( " a u t h o r ‫ ״‬, a u t h o r ) ;
c o o k i e . s e tM a x A g e ( c o o k ie E x p ir a t
io n ) ; HTTP/1.1 200 OK
r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
HTTP Response Splitting Attack

An HTTP response a tta c k is a w e b -b a se d a tta c k w h e re a se rve r is tric k e d by in je c tin g
n e w lines in to response headers a lo ng w ith a rb itra ry code. C ross-Site S c rip tin g (XSS), Cross Site
R eq u est F o rg e ry (CSRF), a n d SQL In je c tio n are som e o f th e exam ples fo r th is ty p e o f attacks.
The a tta c k e r a lte rs a single re q u e s t to a p p e a r and be processed by th e w e b server as tw o
req u ests. The w e b serve r in tu rn responds to each re q u e st. This is a cco m p lish e d by add in g
h e a d e r response data in to th e in p u t fie ld . An a tta c k e r passes m a licio u s data to a v u ln e ra b le
a p p lic a tio n , and th e a p p lic a tio n includes th e data in an HTTP response heade r. The a tta c k e r can
c o n tro l th e fir s t response to re d ire c t th e user to a m a licio u s w e b s ite , w h e re a s th e o th e r
responses w ill be d is c a rd e d by w e b b ro w s e r.

Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
F irs t R e s p o n s e (C o n tr o lle d b y A tta c k e r )
S tr in g a u th o r = Set-Cookie; author=JasonTheHacker
o r e q u e s t . getParam eter(A UTH OR_PA HTTP/1.1 200 OK
RAM) ;
C o o k ie c o o k ie = new S e c o n d R e sp o n se
C o o k ie ( " a u t h o r " , a u t h o r ) ;
Si c o o k i e . s e tM a x A g e (c o o k ie E x p ira t
05 io n ) ; HTTP/1.1200 OK
CO r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
FIGURE 12.8: HTTP Response Splitting Attack

H acking W e b s e r v e r s
Web Cache Poisoning Attack CEH
Original Juggyboy page
GET h ttp ://ju g g yb o y .co m /in d ex .h tm l

H T T P/1.1
Pragma: no-cache A tta ck er sends request to re m o ve page fro m cache
Host: juggyboy.com
h ttp ://w w w .ju g g y b o y .c o m /w e l
A ccept-Charset: iso-8859-1, * ,u t f 8‫־‬ N o rm al response a fte r com e.p h p ? la n g =
clearing th e cache fo r juggyboy.com
GET h ttp ://ju g g v b o y .c o m / < ?php h e a d e r (" L o c a tio n :" .
redir.php?site=%Od%OaContent- $_G E T ['page ']); ?>
Length :%200%0d%0a%0d%0aHTTP/l.l%2
02(X>%20OK%0d%0aLast- A ttacker sends malicious request
Modified :%20Mon,%2027%200ct%20200 th a t g enerates tw o responses ( 4 and 6)
9%2014:50:18%20GMT*0d%0aConte nt-
Length :%2020%0d%0aContcnt•
Typc:%20text/htmf%0d%0a%0d%0a<html
>Attack Pagc</html> HTTP/1.1 A tta ck er gets first server response
An attacker forces the
Host: Juggyboy.com
A tta c k e r re q u e s ts d ju g g y b o y .c o m
again t o ge n e ra te cache e n try
web server's cache to
GET
The second
flush its actual cache
h ttp ://ju g g yb o y .co m /in d ex .h tm l
H T T P /1 .1 Host: testsite.com
A tta ck er gets th e second response of content and sends a
U ser-Agent: M o z illa /4 .7 [en] request [3
(W inN T; I) th a t points to
specially crafted
I attac ke r's page request, which will be
A ccept-Charset: i s o -8 8 5 9 - l,* ,u tf 8 ‫־‬
Address Pag* stored in cache
www.juggyboy.com Attacker's page
P o is o n e d S e rv e r C ache
Web Cache Poisoning Attack

W e b c a c h e p o i s o n i n g is a n a t t a c k t h a t is c a r r i e d o u t i n c o n t r a s t t o t h e r e l i a b i l i t y o f a n
i n t e r m e d i a t e w e b c a c h e s o u r c e , in w h i c h h o n e s t c o n t e n t c a c h e d f o r a r a n d o m U R L is s w a p p e d
w ith in fe c te d c o n te n t. U sers of th e web cache so u rce can u n k n o w in g ly use th e p o is o n e d
c o n te n t in s te a d o f tru e and s e c u re d c o n te n t w h e n d e m a n d in g th e re q u ire d URL th ro u g h th e
w e b cache.
A n a t t a c k e r f o r c e s t h e w e b s e r v e r 's c a c h e t o f lu s h its a c t u a l c a c h e c o n t e n t a n d s e n d s a s p e c ia lly
c ra fte d re q u e st to s to re in c a c h e . In t h e fo llo w in g d ia g ra m , th e w h o le p ro c e s s o f w e b cache
p o i s o n i n g is e x p l a i n e d i n d e t a i l w i t h a s t e p - b y - s t e p p r o c e d u r e .

A ddm \
wAvvw.Ju!^Yl»ov.1utn Ofigln.il Juggyboy pagu
GET h ttp ://ju g g y b o y .c o m /in d e M .h tm l Server Cache

H TTP/1.1 I
P ragm a: no-cache A tta c k e r sends re q u e s t t o re m o v e page fr o m cache
H o s t: ju g g yb o y.co m
h t t p : / / w w w . ju g g y b o y . c o m / w e l
A cc e p t-C h a rse t: iso-8859‫ ־‬l , T,u tf-8 N o rm a l response a fte r c o m e .p h p ? la n g =
cle a rin g th e cache fo rju g g y b o y .c o m
GET h ttp ://ju g g y b o y .c o m / < ? p h p h e a d e r ( " L o c a t io n : " .
r«dir.php?site=%Od%OaContent- $ _ G E T ['p a g e ']) ; ?>
L*ngth:%200% Od%Oa%Od%OaHTTP/l.l% 2
0 2 00 9(2 OOKHOdKOa Last- A tta c k e r sends m a lic io u s re q u e s t
M o difie d :% 20M on,% 202 7% 200ct% 20200 th a t g e n e ra te s tw o re sponses (4 and 6)
9 *20 14 :5 0:18 K 20 G M T % 0 d % 0a C o n te n t-
Lengt h : 2 0 2 0%0d%0a Conte nt-
T yp «:% 2 0tex t/htm l% 0d %0a%0d%08<htm!
>Attack P age</htm l> H T T P /1 .1 A tta c k e r g e ts f ir s t se rv e r response
Host: juggyboy.com
A t t a c k e r r e q u e s ts a ju g g Y b o y .c o m
a g a in t o g e n e r a te c a c h e e n t r y
GET ......... ..........■>
h ttp ://ju g g y b o y .c o m /in d e x .h tm l The ind
A tta ck!;e r g e ts th e second _>_ 1_ res!.ponse o f
H TTP /1.1 H ost: te s ts ite .c o m
U s e r-A g e n t: M o z illa /4 .7 [e n ] . ‫׳‬W re q u e s t o f onse ^ ‫ י‬requ
(W ln N T ; I) that p o in t! t o
:k e f's page
A c c e p t-C h a rs e t iso -8 8 5 9 ‫־‬l , ‫ ״‬,utf-8
Address 1‘ igr
www.JuKjjyt>yy‫־‬com AtUckvr'kp^w
P o is o n e d S e r v e r C a c h e
FIGURE 12.9: Web Cache Poisoning Attack

C o p y rig h t © b y EG-GtUIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
HTTP Response Hijacking

HTTP response h ija ckin g is a cco m p lish e d w ith a response s p littin g re q u e st. In th is
a tta c k , in itia lly th e a tta c k e r sends a re sp o n se s p littin g re q u e s t to th e w e b s e rv e r. The server
sp lits th e response in to tw o and sends th e fir s t response to th e a tta c k e r and th e second
response to th e v ic tim . On re c e iv in g th e response fro m w e b server, th e v ic tim re q u e sts fo r
service by g iving c re d e n tia ls . A t th e sam e tim e , th e a tta c k e r re q u e sts th e in d e x page. Then th e
w e b se rve r sends th e response o f th e v ic tim 's re q u e s t to th e a tta c k e r and th e v ic tim rem ains
u n in fo rm e d .
The dia g ra m th a t fo llo w s show s th e s te p -b y -s te p p ro c e d u re o f an HTTP response h ija ckin g

a tta c k :

FIGURE 12.10: HTTP Response Hijacking

SSH B ru tefo rce A ttack CEH

C«rt1fW4 itfciul IUcIm(
1^1 SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer
unencrypted data over an insecure network
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tun nel
q SSH tunnels can be used to tra n s m it m alw ares and o th e r exploits to victim s w ith o u t being
detected
I
M a il S e r v e r
SSH S e r v e r W e b S e rv e r A p p lic a tio n S e rv e r

Inte rn e t
User
F ile S e r v e r
A ttacker
SSH Brute Force Attack

SSH p ro to c o ls are used to c re a te an e n c ry p te d SSH tu n n e l b e tw e e n tw o hosts in o rd e r
to tra n s fe r u n e n c ry p te d data o v e r an insecure n e tw o rk . In o rd e r to c o n d u c t an a tta c k on SSH,
fir s t th e a tta c k e r scans th e e n tire SSH s e rv e r to id e n tify th e p o ssib le v u ln e ra b ilitie s . W ith th e
he lp o f a b ru te fo rc e a tta c k , th e a tta c k e r gains th e login c re d e n tia ls . Once th e a tta c k e r gains th e
login c re d e n tia ls o f SSH, he o r she uses th e sam e SSH tu n n e ls to tra n s m it m a lw a re and o th e r
e x p lo its to v ic tim s w ith o u t b ein g d e te c te d .
I
Mail Server
Attacker
FIGURE 1 2 .1 1 : SSH B r u te F o r c e A tta c k

E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M an-in-the‫־‬M iddle Attack CEH

J M an-in-the-M iddle (M ITM ) attacks allow an attacker to access sensitive info rm atio n by inte rceptin g
and a lte ring com m unications betw een an end-user and webservers
J A ttacker acts as a proxy such th a t all the com m unication betw een the user and Webserver passes
through him
N o rm a l T ra ffic
\p oO* ••
■t j Webserver
Q "‫־‬
A tta c k e r
Man‫־‬in‫־‬the‫־‬Middle Attack
A m a n - i n - t h e - m i d d l e a t t a c k is a m e t h o d w h e r e a n i n t r u d e r i n t e r c e p t s o r m o d i f i e s t h e
m essage b e in g exchanged b e tw e e n th e user and web s e rv e r th ro u g h e a v e s d ro p p in g or
in tru d in g in to a c o n n e c tio n . T h is a llo w s an a tta c k e r to s te a l s e n s itiv e in fo rm a tio n o f a user
s u c h as o n lin e b a n k in g d e ta ils , u s e r n a m e s , p a s s w o r d s , e tc . t r a n s f e r r e d o v e r t h e I n t e r n e t t o t h e
w e b s e rv e r. T h e a tta c k e r lu re s t h e v ic tim to c o n n e c t to th e w e b s e rv e r th ro u g h b y p re te n d in g
to be a p ro xy. If th e v ic tim b e lie v e s and a g re e s to th e a tta c k e r 's re q u e s t, th e n a ll th e
c o m m u n ic a tio n b e tw e e n th e user and th e web s e rv e r passes th ro u g h th e a tta c k e r. T hu s, th e
a tta c k e r c a n s te a l s e n s itiv e u s e r in f o r m a tio n .
M o d u le 12 Page 1629 Ethical H acking a n d C o u n te rm e a s u re s C o p y r ig h t © b y EC-C0UnCil

A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
n &
U s e r v is it s a w e b s it e N o r m a l T r a ffic
*
U User ^ ‫־־‬
> •‫״‬
© .
A t t a c k e r s n iffs t h e
c o m m u n iic
c a t io n t o ;
* * * .. '''• ^ 9 0 s te a lI s e s s io n ID s
es ..* <e^
© ‫־‬
.•* , . , w
( f t v
.•‫־‬ , ‫ יי‬5''.•‫־‬
A ••‘ ‘
Attacker
FIGURE 12.12: M an-in-the-M iddle Attack

Webserver Password Cracking C EH
An attacker tries to exploit

weaknesses to hack well-chosen
passwords
* * * *
Many hacking attem pts start The m ost com m on passwords

w ith c ra c k in g p a s s w o r d s and found are password, root,
p ro v e s to th e W e b s e rv e r th a t adm inistrator, admin, demo, test,
they a re a valid user guest, qwerty, pet names, etc.
Attackers use diffe re n t m ethods

such as social engineering, W e b f o r m a u t h e n t ic a t i o n c r a c k in g
spoofing, phishing, using a Trojan SSH T u n n e ls
Horse o r virus, w iretapping, FTP s e r v e r s
keystroke logging, etc.
S M T P s e rv e rs
W e b s h a re s
Web Server Password Cracking

--------- M o s t hacking s ta rts w ith p assw ord cracking o n ly. Once th e passw ord is cracked, th e
ha cke r can log in in to th e n e tw o rk as an a u th o riz e d person. M o s t o f th e c o m m o n passw ords
fo u n d are p a s s w o rd , r o o t, a d m in is tr a to r , a d m in , d e m o , te s t, g u e st, QW ERTY, p e t na m e s, e tc.
A tta c k e rs use d iffe r e n t m e th o d s such as social e n g in e e rin g , sp o o fin g , p h ishing , using a T rojan
horse o r viru s, w ire ta p p in g , k e y s tro k e logging, a b ru te fo rc e a tta c k , a d ic tio n a ry a tta ck, etc. to
crack passw ords.
A tta c k e rs m a in ly ta rg e t:
© W e b fo rm a u th e n tic a tio n cracking
© SSH tu n n e ls
© FTP servers
© SMTP servers
© W e b shares

Webserver Password Cracking

Techniques EH
Passw ords may be cracked m anually o r w ith a u to m a te d to o ls such as Cain and Abel, Brutus,
THC Hydra, etc.
Passwords can be cracked by using following techniques:
I
4 Hybrid
Attack
A hybrid attack
works similar to
dictionary attack,
but it adds numbers
or symbols to the
password attempt
C o p y rig h t © b y E G -C *a n cil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
■gd© Web Server Password Cracking Techniques

® ‫) רדד׳‬77( _
P a ssw o rd s m ay be cra cke d m a n u a lly o r w ith a u to m a te d to o ls such as C a in & A b e l,
B ru tu s , T H C H y d ra , e tc . A tta c k e rs f o llo w v a rio u s te c h n iq u e s to c ra c k th e p a s s w o rd :
© G u e s s i n g : A c o m m o n c r a c k i n g m e t h o d u s e d b y a t t a c k e r s is t o g u e s s p a s s w o r d s e i t h e r b y
h u m a n s o r b y a u t o m a t e d to o ls p r o v id e d w it h d ic tio n a rie s . M o s t p e o p le te n d t o u s e h e ir
p e ts ' n a m e s , lo v e d o n e s ' n a m e s , lic e n s e p la te n u m b e rs , d a te s o f b irth , o r o th e r w e a k
p a s s w o r d s s u c h as "Q W E R T Y ," " p a s s w o r d ," " a d m in , " e tc . so t h a t t h e y ca n r e m e m b e r
th e m e a s ily . T h e s a m e t h i n g a llo w s t h e a t t a c k e r t o c r a c k p a s s w o r d s b y g u e s s in g .
© D i c t i o n a r y A t t a c k : A d i c t i o n a r y a t t a c k is a m e t h o d t h a t h a s p r e d e f i n e d w o r d s o f v a r i o u s
c o m b in a t io n s , b u t t h is m i g h t a ls o n o t b e p o s s ib le t o b e e f f e c t i v e i f t h e p a s s w o rd c o n s is ts
o f s p e c i a l c h a r a c t e r s a n d s y m b o l s , b u t c o m p a r e d t o a b r u t e f o r c e a t t a c k t h i s is l e s s t i m e
c o n s u m in g .
© B ru te F orce A tta c k : In t h e b ru te fo rc e m e th o d , a ll p o s s ib le c h a ra c te rs a re te s te d , fo r
e x a m p le , u p p e rc a s e fr o m "A to Z" o r n u m b e rs fro m " 0 t o 9 " o r lo w e r c a s e "a t o z ." B u t
t h i s t y p e o f m e t h o d is u s e f u l t o i d e n t i f y o n e - w o r d o r t w o - w o r d p a s s w o rd s . W h e re a s if a
p a s s w o rd c o n s is ts o f u p p e r c a s e and lo w e rc a s e le tte rs and s p e c ia l c h a r a c te r s , it m ig h t
t a k e m o n t h s o r y e a r s t o c r a c k t h e p a s s w o r d , w h i c h is p r a c t i c a l l y i m p o s s i b l e .

Q H y b rid A tta c k : A h y b rid a tta c k is m o re p o w e rfu l as it uses b o th a d ic tio n a ry a tta c k and

b ru te fo rc e a tta c k . It also consists o f sym bols and n u m b e rs. Password cracking becom es
easier w ith th is m e th o d .

Web Application Attacks CEH

C«rt1fW4 itfciul Nm Im
J V ulnerabilities in w eb applications running on a W ebserver provide a broad attack p ath for

W e b s e rv e r c o m p ro m is e
! , I f
rOss .
Site At, '°n
enia'0f.s rg e ,
‫׳‬erf/, '°° s, a£ Z ' .

C°°kie 4ft,■acks Olv
T **0rv s‫»׳‬Pe,'ring
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
Web Application Attacks

SL
V u ln e ra b ilitie s in w e b a p p lic a tio n s ru n n in g on a w e b server p ro v id e a b road a tta c k
p a th fo r w e b se rve r c o m p ro m is e .
D ire c to ry T ra v e rs a l
D ire c to ry tra v e rs a l is e x p lo ita tio n o f HTTP th ro u g h w h ic h a tta cke rs are able to access
re s tric te d d ire c to rie s and e x e cu te co m m a n d s o u ts id e o f th e w e b se rve r ro o t d ire c to ry
by m a n ip u la tin g a URL.
P a r a m e te r /F o rm T a m p e rin g
This ty p e o f ta m p e rin g a tta c k is in te n d e d to m a n ip u la te th e p a ra m e te rs exchanged

b e tw e e n c lie n t and se rve r in o rd e r to m o d ify a p p lic a tio n data, such as user c re d e n tia ls
and p erm ission s, price and q u a n tity o f p ro d u cts, etc.
C o o k ie T a m p e r in g
C ookie ta m p e rin g is th e m e th o d o f p o is o n in g o r ta m p e rin g w ith th e c o o k ie o f th e

c lie n t. The phases w h e re m o st o f th e atta cks are d o n e are w h e n sending a co o kie fro m
th e c lie n t side to th e se rve r. P e rsiste n t and n o n -p e rs is te n t cookies can be m o d ifie d by using
d iffe r e n t to o ls .

C o m m a n d In je c tio n A tta c k s
C om m an d in je c tio n is an a tta c k in g m e th o d in w h ic h a h a cke r a lte rs th e c o n te n t o f th e

m
w e b page by using h tm l code and by id e n tify in g th e fo rm fie ld s th a t lack valid
c o n s tra in ts .
B u ffe r O v e rflo w A tta c k s

I
M o s t w e b a p p lic a tio n s are designed to sustain som e a m o u n t o f d a ta . If th a t a m o u n t
is exceede d, th e a p p lic a tio n m ay crash o r m ay e x h ib it som e o th e r v u ln e ra b le
b e h a v io r. The a tta c k e r uses th is a d va n ta g e and flo o d s th e a p p lic a tio n s w ith to o m uch data,
w h ic h in tu rn causes a b u ffe r o v e rflo w a tta ck.
C r o s s - S it e S c r i p t i n g (X S S ) A t t a c k s
jr C ross-site s c rip tin g is a m e th o d w h e re an a tta c k e r in je c ts H TM L tags o r scrip ts in to a

ta rg e t w e b s ite .
D e n ia l-o f-S e rv ic e (D o S ) A tta c k
M A d e n ia l-o f-s e rv ic e a tta c k is a fo rm o f a tta c k m e th o d in te n d e d to te r m in a te th e

o p e ra tio n s o f a w e b s ite o r a se rve r and m ake it u n a va ila b le to access fo r in te n d e d
users.
U n v a l i d a t e d I n p u t a n d F ile i n j e c t i o n A t t a c k s
U n v a lid a te d in p u t and file in je c tio n atta cks re fe r to th e atta cks ca rrie d by s u p p ly in g

an u n v a lid a te d in p u t o r by in je c tin g file s in to a w e b a p p lic a tio n .
C r o s s - S it e R e q u e s t F o r g e r y (C S R F ) A t t a c k
The u ser's w e b b ro w s e r is re q u e ste d by a m a licio u s w e b page to send re q u e sts to a

m a lic io u s w e b s ite w h e re v a rio u s v u ln e ra b le a ctio n s are p e rfo rm e d , w h ic h are n o t
in te n d e d by th e user. This kind o f a tta c k is d a n g e ro u s in th e case o f fin a n c ia l w e b s ite s .
SQL In je c tio n A tta c k s
SQL in je c tio n is a code in je c tio n te c h n iq u e th a t uses th e s e c u rity v u ln e ra b ility o f a

datab a se fo r attacks. The a tta c k e r in je cts m a licio u s code in to th e strings th a t are la te r
on passed on to SQL S erver fo r e x e c u tio n .
S e s s io n H ija c k in g
1131Session h ija c k in g is an a tta c k w h e re th e a tta c k e r e x p lo its , steals, p re d icts, and

n e g o tia te s th e real va lid w e b session c o n tro l m e ch a n ism to access th e a u th e n tic a te d
p a rts o f a w e b a p p lic a tio n .

M o d u le Flow CEH
Module Flow
_ So fa r w e have d is c u s s e d web s e rv e r c o n c e p ts and v a rio u s te c h n iq u e s used by th e
a tta c k e r to hack w e b se rv e r. A tta c k e rs u s u a lly hack a web s e rv e r by fo llo w in g a p ro ce d u ra l
m e th o d . Now we w ill d is c u s s t h e a tta c k m e th o d o lo g y used by a tta c k e rs to c o m p ro m is e web
s e rve rs.
1 We b s e r v e r C o n c e p t s W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g i ) W e b s e r v e r S e c u rity T o o ls
y P a tc h M a n a g e m e n t C o u n te r-m e a s u re s
■—
■—
T h is s e c tio n p r o v id e s in s ig h t in to t h e a t t a c k m e t h o d o lo g y a n d t o o ls t h a t h e lp a t v a r io u s s ta g e s
o f h a c k in g .
M o d u le 1 2 P a g e 1 6 3 6 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
Webserver Attack Methodology CEH
In fo rm a tio n W e b s e rv e r
G a th e rin g F o o tp rin tin g
V u ln e ra b ility H acking
S c a n n in g W eb serv er P a ssw o r d s
Web Server Attack Methodology

H a c k in g a web s e r v e r is a c c o m p l i s h e d in v a r i o u s s ta g e s . A t e a c h s ta g e th e a tta c k e r
trie s to g a th e r m o r e in fo rm a tio n a b o u t lo o p h o l e s a n d tr ie s t o g a in u n a u t h o r iz e d a c ce ss t o t h e
w e b s e rv e r. T h e s ta g e s o f w e b s e rv e r a t t a c k m e t h o d o lo g y in c lu d e :
I n f o r m a t io n G a th e r in g
E v e ry a t t a c k e r t r ie s t o c o lle c t as m u c h in fo rm a tio n as p o s s ib le a b o u t t h e t a r g e t w e b
0
se rve r. O n ce th e in fo rm a tio n is g a t h e r e d , h e o r s h e t h e n a n a l y z e s t h e g a t h e r e d in fo rm a tio n in
o r d e r t o f i n d t h e s e c u r i t y la p s e s in t h e c u r r e n t m e c h a n i s m o f t h e w e b s e r v e r .
( W e b S e rv e r F o o tp r in tin g
T h e p u r p o s e o f f o o t p r i n t i n g is t o g a t h e r m o r e i n f o r m a t i o n a b o u t s e c u r i t y a s p e c t s o f a
w e b s e r v e r w i t h t h e h e l p o f t o o l s o r f o o t p r i n t i n g t e c h n i q u e s . T h e m a i n p u r p o s e is t o k n o w
a b o u t its r e m o t e a c c e s s c a p a b i lit ie s , its p o r t s a n d s e r v ic e s , a n d t h e a s p e c ts o f its s e c u r it y .
M i r r o r i n g W e b s ite
W 4 J )
W e b s ite m irro rin g is a m e t h o d o f c o p y in g a w e b s ite and its c o n te n t o n to a n o th e r
s e rv e r fo r o fflin e b ro w s in g .
V u ln e r a b ilit y S c a n n in g
V u ln e ra b ility scanning is a m e th o d o f fin d in g va rio u s v u ln e ra b ilitie s an d m is c o n fig u ra tio n s o f a

w e b s e rv e r. V u ln e ra b ility scanning is d o n e w ith th e he lp o f va rio u s a u to m a te d to o ls kn o w n as
v u ln e ra b le scanners.
S e s s io n H i j a c k i n g
Session h ija c k in g is possible once th e c u rre n t session o f th e c lie n t is id e n tifie d . C o m p le te

c o n tro l o f th e user session is ta k e n o v e r by th e a tta c k e r by m eans o f session hijacking.
H a c k in g W e b S e rv e r P a s s w o rd s
A tta c k e rs use v a rio u s passw ord cracking m e th o d s like b ru te fo rc e attacks, h yb rid

a tta cks, d ic tio n a ry attacks, etc. and crack w e b se rve r passw ords.

Webserver Attack Methodology:

Information Gathering CEH
Inform ation gathering involves collecting info rm atio n about the
targeted com pany W H O i s . n e t

Y3ur Domain Starting Place...
Attackers search the In te rn e t, newsgroups, b u lle tin boards, etc.
fo r info rm atio n about the com pany UZ3
Attackers use W hois, Traceroute, A ctive W hois, etc. tools and

WHOIS information for ebay.com:***
query the W hois databases to get the details such as a domain
[Querying who1s.vens1gn-grs.com]
[whols.verislgn-grs.com]
name, an IP address, o r an autonom ous system num ber Who<5 Server Vereon 2.0
Domain names in the .com and .net domains can now be reoistered
with rrorv diftoront competing raaistrars. Go to http;//w w w .intom < x « t
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKM0N1T0R INC.
Whois Server: w hois.m aricw iitor.com
Reterral URL: http://www.marXmonicor.com
Name Server: yC-ONSl.CDAYDNS.COM
N3m0 Sorvof: SJC DNS2.bBAYDNS.COM
Namo sorvor: SMF DNS1.EBAYDNS.C0N
Name sarver: SMF-DNSi.fcBAYDNS.COM
Status: cll«r)tO(H«tcProhIhlt«d
Status: clieritTrm sf«Pral 1ibit*d
Status: dienWpdnteProhibited
Status: serverDeieteProhibited
Status: server TransferProh 1b itod
Status: sorvorUDdateProhibital
updated Date: I 5 ‫־‬sep-2010
Note: For com plete coverage o f in fo rm a tio n gathering techniques Creation Date: 04-aug-l995
Expiration Date: 03-aug-2018
refer to M o d u le 02: F o otprinting and Reconnaissance
http://www. whois.net
» Web Server Attack Methodology: Information

$_, Gathering
Every a tta c k e r b e fo re hacking fir s t c o lle cts all th e re q u ire d in fo rm a tio n such as ve rsio n s and
te c h n o lo g ie s being used by th e w e b server, etc. A tta c k e rs search th e In te rn e t, n e w sgroup s,
b u lle tin boards, etc. fo r in fo rm a tio n a b o u t th e c o m p a n y. M o s t o f th e a tta c k e rs ' tim e is sp e n t in
th e phase o f in fo r m a tio n g a th e rin g o n ly. T h a t's w h y in fo rm a tio n g a th e rin g is b o th an a rt as
w e ll as a science. T he re are m a ny to o ls th a t can be used fo r in fo rm a tio n g a th e rin g o r to g et
d e ta ils such as a d o m a in nam e, an IP address, o r an a u to n o m o u s system n u m b e r. The to o ls
in clu d e :
e W h o is
e T ra c e ro u te
e A c tiv e W h o is
e N m ap
0 A n g ry IP Scanner
e N e tc a t
W h o is
#
M o d u le 12 P ag e 1639 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil

Source: h ttp ://w w w .w h o is .n e t
W h o is a llo w s you to p e rfo rm a d o m a in w h o is search and a w h o is IP lo o k u p and search th e

w h o is datab a se fo r re le v a n t in fo rm a tio n on d o m a in re g is tra tio n and a v a ila b ility . This can help
p ro v id e in s ig h t in to a d o m a in 's h is to ry an d a d d itio n a l in fo rm a tio n . It can be used fo r
p e rfo rm in g a search to see w h o o w n s a d o m a in nam e, h o w m any pages fro m a site are listed
w ith G oogle, o r even search th e W h o is address listings fo r a w e b s ite 's o w n e r.
W H O is .n e t
Your Domain Starting Place...
WHOIS inform ation fo r ebay.com :***
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://w w w .internic.net
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitDr.com
Referral URL: http://www.markmonitor.com
Name Server: SJC-DNS1.EBAYDNS.COM
Name Server: SJC-DNS2.EBAYDNS.COM
Name Server: SMF-DNS1.EBAYDNS.COM
Name Server: SMF-DNS2.EBAYDNS.COM
Status: dientDeleteProhibited
Status: dientTransferProhibited
Status: dientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 15-sep2010‫־‬
Creation Date: 04-aug-1995
Expiration Date: 03-aug2018‫־‬
«
FIGURE 12.13: WHOIS Information Gathering


Webserver Footprinting CEH
Urt1fw4 ilhiul lUthM
J Gather valuable system-level info rm atio n such

as account details, operating system, software
versions, server names, and database schema
details
J Telnet a Webserver to fo o tp rin t a Webserver and

gather information such as server nam e, server
type, operating systems, applications running,
etc.
J Use too l such as ID Serve, httprecon, and

Netcraft to perform footprinting
Web Server Attack Methodology: Web server

Footprinting
The p u rp o se o f fo o tp r in tin g is to g a th e r a cc o u n t d e ta ils, o p e ra tin g system and o th e r s o ftw a re
v e rs io n s , s e rv e r nam es, an d d a ta b a se schem a d e ta ils and as m uch in fo rm a tio n as possible
a b o u t s e c u rity aspects o f a ta rg e t w e b se rve r o r n e tw o rk . The m ain p u rp o se is to k n o w a b o u t its
re m o te access c a p a b ilitie s , o p e n p o rts and services, and th e s e c u rity m echanism s im p le m e n te d .
T e ln e t a w e b se rve r to fo o tp r in t a w e b server and g a th e r in fo rm a tio n such as server nam e,
se rver ty p e , o p e ra tin g system s, a p p lic a tio n s ru n n in g , etc. Exam ples o f to o ls used fo r p e rfo rm in g
fo o tp r in tin g in clu d e ID Serve, h ttp re c o n , N e tc ra ft, etc.
N e tc ra ft
Source: h ttp ://to o lb a r .n e tc r a ft.c o m
N e tc ra ft is a to o l used to d e te rm in e th e OSes in use by th e ta rg e t o rg a n iz a tio n . It has a lre a d y

been discussed in d e ta il in th e F o o tp rin tin g and Reconnaissance m o d u le .
M o d u le 12 Page 1641 Ethical H acking a n d C o u n te rm e a s u re s C o p y r ig h t © b y EC-C0UnCil

r iE T C K A F T
S e a r c h W e b b y D o m a in
E x p lo re 1 ,0 4 5 .7 4 5 w e b s it e s v is ite d by u s e r s o f th e N e tc ra ft T o o lb a r 3 rd A u g u s t 2 0 1 2
S e a rc h : s e a r c h t ip s
j site contains j«‫ ^׳‬microsoft lookup!

e x a m p l e : s it e c o n ta in s . n e tc r a ft.c o m
R e s u lt s f o r m ic r o s o f t
Found 252 sites
S ite S ite R e p o r t F ir s t s e e n N e tb lo c k OS
1. w w w .m ic r o s o ft.c o m a a u g u st 1995 m ic r o s o f t c o rp c it r ix n e ts c a le r
2. s u p p o r t . m ic r o s o f t . c o m m o c to b e r 1 9 9 7 m ic r o s o f t c o rp unknow n
3. t e c h n e t . m ic r o s o f t . c o m m a u g u st 1999 m ic r o s o f t c o rp c it r ix n e ts c a le r
4. w in d o v < s .m ic ro s o ft.c o m 0 ju n e 1 9 9 8 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
5. m s d n . m ic r o s o f t . c o m a S e p te m b e r 1 9 9 8 m ic r o s o f t c o rp c it r ix n e ts c a le r
6. o f f ic e . m ic r o s o f t . c o m £1 n o ve m b e r 1998 m ic r o s o f t c o rp unknow n
7. s o c ia l. t e c h n e t . m ic r o s o f t . c o m a august 2008 m ic r o s o f t c o rp c it r ix n e ts c a le r
8. a n s w e r s .m ic r o s o ft.c o m £1 august 2009 m ic r o s o f t lim it e d w in d o w s s e r v e r 2 0 0 8
9. v 4 w w .u p d a te .m ic r o s o ft.c o m a m ay 2007 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
1 0 . s o c ia l. m s d n . m ic r o s o f t . c o m 0 august 2008 m ic r o s o f t c o rp c it r ix n e ts c a le r
1 1 . g o .m ic r o s o f t . c o m a
novem ber 2001 m s h o t m a il c it r ix n e ts c a le r
1 2 . w in d o w s u p d a te .m ic r o s o f t . c o m a fe b u a ry 1 9 9 9 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
1 3 . u p d a t e . m ic r o s o f t . c o m fe b u a ry 2 0 0 5 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
a
1 4 . w w w .m ic r o s o fttr a n s la to r .c o m a novem ber 2008 a k a m a i t e c h n o lo g ie s li n u x
1 5 . s e a r c h . m ic r o s o f t . c o m m ja n u a r y 1 9 9 7 a k a m a i i n t e r n a t io n a l b .v l in u x
1 6 . w w w .m ic r o s o f t s t o r e . c o m a novem ber 2008 d ig it a l r iv e r ir e la n d ltd . f 5 b ig ‫ ־‬ip
1 7 . lo g in . m ic r o s o f t o n lin e . c o m £1 decem ber 2010 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 3
1 8 . w e r .m ic r o s o f t . c o m IB o c to b e r 2 0 0 5 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
FIGURE 12.14: W eb server Footprinting

Webserver Footprinting Tools CEH

h ttp r e c o n 7.3 - h ttp ://w w w .n y tim e s .c o m :8 0 / I — I °
File Configuration Fingerprinting Repcrting Help

Ta*get (SunONEWebServer 6.1)
| h t b :/ / ^ | www.nytimes.com : 180
0 ID S e rve ‫י ^ ־‬
GET existing j GET Io n g e q u e s tj GET non-ex sting] GET wrong p rotocol)
Internet Server Identifica.ion Utility, vl .02
HTTP/1.1 200 OK
Dace: Thu, 11 Oct 2012 09:34:37 GMT ID Serve Personal Security Freeware by Stev Steve Gibson
Copyright (c) 2003 by Gibson Research Corp. 1 1 1 1 S S m
expires: Thu, 01 Dec 1994 16:00:00 GMT Background Serv2r Query | Q8A/Help |
carhe-control: no-cache
pragma: no-cache
Sec-Cookie: ALT_ID=007f010021bb479dd5aa00SS; Expires Enter 0* copy I paste an Internet server UR_ or IP address here (example: www.microsdt.com):
09:34:37 GMT; Path=/; Domain‫ ־‬.nytimes.com; ' |www.google.coml
Sec-cookie: adxcs=-; path=/; do!rain=.nytimes.cam
w W hen an Internet URL ‫ זה‬IP has been provided above,

Matchfct (352 Implementations) | Fingerprint Details | Report Preview | C2 QueryTheSever ^ piess this button to initiate a query of the specified server.
Name
Server query process ng
a Oracle Application Server 10g 10.1.2.2.0
•S Sun Java System W eb Server 7.0 (3 Server gws
• Abyss 2.5.0.0 X1 Content-Length: 221 F
V Apache 2.0.52 X‫־‬XSS‫־‬Protectior: 1; mode-block
V Apache 2.2.6 X‫־‬Frome‫־‬Options: SAMEORIGIN ■
V r u — 1— n c n_________________________ Connection: close
Ready
The seivef identified Ise* a s :
http://www.computec.ch (4
Goto ID Serve web page
http://www.grc.com
Web Server Footprinting Tools

W e h a v e a lr e a d y d is c u s s e d a b o u t th e N e tc ra ft to o l. In a d d i t i o n to th e N e tc ra ft to o l,
th e re a re tw o m o re to o ls th a t a llo w you to p e rfo rm web s e rv e r fo o tp rin tin g . They a re
H t t p r e c o n a n d ID S e r v e .
H ttp re c o n
( ^ ' S o u rce : h ttp ://w w w .c o m p u te c .c h
H t t p r e c o n is a t o o l f o r a d v a n c e d w e b s e r v e r f i n g e r p r i n t i n g . T h e h t t p r e c o n p r o j e c t is d o i n g s o m e
r e s e a r c h i n t h e f i e l d o f w e b s e r v e r f i n g e r p r i n t i n g , a l s o k n o w n a s h t t p f i n g e r p r i n t i n g . T h e g o a l is
th e h ig h ly a c c u ra te id e n tific a tio n o f g iv e n h ttp d im p l e m e n t a t i o n s . T h is s o f t w a r e s h a ll i m p r o v e
t h e e a s e a n d e ffic ie n c y o f th is k in d o f e n u m e r a t i o n .
httprecon 7.3 - http://w ww.nytim es.com :80/ — ‫ם‬
File Configuration Fingerprinting Reporting Help
Target (Sun ONE Web Server G.1)

Analyze
http:/‫׳‬/ ▼I |www.nytimes.com 80
GET existing | GET long request | GET non-existing \ GET wrong protocol | HEAD existing | OPTIONS common
H T T P/1.1 200 OK
D a te : T hu, 11 O ct 2012 0 9 :3 4 :3 7 GMT
S e r v e r : A pache
e x p i r e s : T hu, 01 Dec 1994 1 6 :0 0 :0 0 GMT
c a c h e - c o n t r o l : n o -c a c h e
p ra g m a: n o -c a c h e
S e t- C o o k ie : A LT _ID =007f010021bb479ddSaa005S; E x p ir e s = F r i , 11 O ct 2013
0 9 :3 4 :3 7 GMT; P a th = /; D o m a in = .n y tim e s. com;
S e t - c o o k i e : a d x c a = - ; p a t h = / ; d o m a in = .n y tim e s . com
V a ry : H o st
Matchlist (352 Implementations) | Fingerprint Details | Report Preview
Name I Hits Match % /‫\׳‬

M Oracle Application Server 10g 10.1.2.2.0 58 81.6301408450704
H22 Sun Java System Web Server 7.0 57 80.2816301408451
# Abyss 2.5.0.0X1 56 78.8732334366137
Apache 2.0.52 56 78.8732334366137
Apache 2.2.6 56 78.8732334366137
V‫׳‬ ncn EC 070000,1 70‫־‬OCC1 □7
Ready.
FIGURE 12.15: Httprecon Screenshot
ID S e rv e
Source: h ttp ://w w w .g r c .c o m
ID Serve is a s im p le In te rn e t se rve r id e n tific a tio n u tility . ID Serve can a lm o s t alw ays id e n tify th e
m ake, m o d e l, and v e rs io n o f any w e b s ite 's s e rv e r s o ftw a re . This in fo rm a tio n is usually se n t in
th e p re a m b le o f re plie s to w e b q u e rie s, b u t it is n o t sh o w n to th e user. ID Serve can also
c o n n e c t w ith n o n -w e b servers to receive and re p o rt th a t se rve r's g re e tin g message. This
g e n e ra lly reveals th e server's m ake, m o d e l, ve rsio n , and o th e r p o te n tia lly u seful in fo rm a tio n .
S im ply by e n te rin g any IP address, ID Serve w ill a tte m p t to d e te rm in e th e a sso cia te d d o m a in
nam e.

G ID Serve
I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .0 2
ID S e r v e P e r s o n a l S e c u r ity F r e e w a r e
Copyright (c) 2003 by Gibson Research Corp.

b y S te v e G ib s o n
Background Server Query | Q&A/Help
Enter or copy ! paste an Internet server URL or IP address here (example: www.microsoft.com):
1 w w w .g o o g le .c o m |
When an Internet URL or IP has been provided above,

Query The Server
^ press this button to initiate a query of the specified server.
Server query processing:

Server: gws
Content-Length: 221
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Connection: close
The server identified itself as :

(4 |gw s_________________
Copy Goto ID Serve web page Exit
FIGURE 12.16: ID Serve


Mirroring aWebsite CEH
M irro r a website to create a com plete profile o f the site's d ire cto ry stru cture , files stru cture , external links, etc
Search fo r com m ents and o th e r items in the HTML source code to make fo o tp rin tin g activities more efficient
Use tools HTTrack, W ebCopier Pro, B lackW idow , etc. to m irro r a website
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMmj

H
E*€ Freferences Mirro log Window Help
13 i i , local Disk <(
Pa‫׳*־‬g HTMLHe
w m r
l
ave
d 320.26*8 W
ai
c r
tB!
til . MyWebSltes Tiro. 2nr22» 1
4
I
rai
rf“
‫־‬r
*e 08* t
f.
1 9
KB
/
») F
J
rc
d
cd
af
ed. 0
‫ש‬ Program Files
It) *. Program Files MJ6( 4
Ac*veconnect!one 1 Erwi 0
i 111 lh«s
til h Windows
j- -t ; NTUSSR.DAT
7;
M e
n*
:
H local Disk: ‫•־‬D.‫■׳‬

M Ji DVD RWDriv» ‫<&י‬
:N«w Volume <F 1 M«
http://w
J□
ww.htrock.com
C o p y rig h t © b y EG-GlU IICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Web Server Attack Methodology: M irroring a Website

— W e b s ite m irro rin g is a m e t h o d o f c o p y in g a w e b s ite and its c o n te n t o n to a n o th e r
s e rv e r. B y m ir r o r in g a w e b s it e , a c o m p le t e p r o file o f t h e s ite 's d ir e c t o r y s tr u c t u r e , file s t r u c tu r e ,
e x t e r n a l lin k s , e tc . is c r e a t e d . O n c e t h e m irr o r w e b s ite is c r e a t e d , s e a r c h fo r c o m m e n ts and
o th e r ite m s in t h e H T M L so u rc e code to m ake fo o tp rin tin g a c tiv itie s m o re e ffic ie n t. V a rio u s
to o ls u s e d f o r w e b s e rv e r m ir r o r in g in c lu d e H T T ra c k , W e b r ip p e r 2 .0 , W in W S D , W e b c o p ie r , a n d
B la c k w id o w .
S o u rce : h ttp ://w w w .h ttr a c k .c o m
H T T r a c k is a n o f f l i n e b r o w s e r u t i l i t y . I t a l l o w s y o u t o d o w n l o a d a W o r l d W i d e W e b s i t e f r o m t h e
I n t e r n e t t o a lo c a l d i r e c t o r y , b u i l d i n g r e c u r s i v e l y a ll d i r e c t o r i e s , g e t t i n g H T M L , im a g e s , a n d o t h e r
file s fro m th e se rve r to your c o m p u te r. H T T ra ck a rra n g e s th e o rig in a l s ite 's re la tiv e lin k -
s t r u c t u r e . S im p ly o p e n a p a g e o f t h e " m i r r o r e d " w e b s i t e in y o u r b r o w s e r , a n d y o u c a n b r o w s e
t h e s ite f r o m lin k t o lin k , as if y o u w e r e v i e w in g it o n lin e .
H Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]

File Preferences terror Log Window JHelp
B jj L o c a l D is k <C :>
0 C E H -T o o ls In progress: Parang HTML He

j H J. d e ll
a i. in e tp u b Information
B In te l Bytes saved: 320.26KB Links scanned: 2/14 (.13)
B j M y W e b S ite s Time: 2min22s Files written: 14
g ) • • J j P r o g ra m Files Transferrate: OB/s (1.19MB/3) Fles updated: 0
a ‫׳‬J j P r o g ra m Files (x86) Active connections: 1 Errors: 0
& J 1 U sers
a W in d o w s [Actions
L Q N T U S E R .D A T
a a L o c a l D is k < D :>
a ^ D V D R W D riv e <E:>
El , . N e w V o lu m e <F :>
;Back | Next > Cancel Help
FIGURE 12.17: Mirroring a W ebsite


Vulnerability Scanning CEH
Perform vulnerability scanning to identify weaknesses J Sniff the network traffic to find out active systems,
in a network and determine ifth e system can be exploited netw ork services, applications, and vulnerabilities present
Use a vulnerability scanner such as HP Weblnspect, J Test the web server infrastructure for any
Nessus, Zaproxy, etc. to find hosts, services, and misconfiguration, outdated content, and known
vulnerabilities vulnerabilities
C o p y rig h t © b y K - € M I C i l . A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Web Server Attack Methodology: Vulnerability

Scanning
V u ln e ra b ility scanning is a m e th o d o f d e te rm in in g va rio u s v u ln e ra b ilitie s and m is c o n fig u ra tio n s
o f a ta rg e t w e b se rve r o r n e tw o rk . V u ln e ra b ility scanning is d o n e w ith th e help o f v a rio u s
a u to m a te d to o ls k n o w n as v u ln e ra b le scanners.
V u ln e ra b ility scanning a llo w s d e te rm in in g th e v u ln e ra b ilitie s th a t exist in th e w e b se rve r and its

c o n fig u ra tio n . Thus, it helps to d e te rm in e w h e th e r th e w e b se rve r is e x p lo ita b le o r n o t. S n iffin g
te c h n iq u e s are a d o p te d in th e n e tw o rk tr a ffic to fin d o u t a c tiv e syste m s, n e tw o r k services,
a p p lic a tio n s , an d v u ln e ra b ilitie s p re s e n t.
Also, a tta c k e rs te s t th e w e b se rve r in fra s tru c tu re fo r any m is c o n fig u ra tio n , o u td a te d c o n te n t,

and k n o w n v u ln e ra b ilitie s . V a rio u s to o ls are used fo r v u ln e ra b ility scanning such as HP
W e b ln s p e c t, Nessus, Paros proxy, etc. to fin d hosts, services, and v u ln e ra b ilitie s .
N essus
S ource: h ttp ://w w w .n e s s u s .o rg

Nessus is a s e c u rity scanning to o ls th a t scan th e system re m o te ly and re p o rts if it d e te c ts th e
v u ln e ra b ilitie s b e fo re th e a tta c k e r a c tu a lly a tta c k s and co m p ro m is e s th e m . Its fiv e fe a tu re s
in clud es high-spee d d isco ve ry, c o n fig u ra tio n a u d itin g , asset p ro filin g , se n sitive data discovery,
p a tch m a n a g e m e n t in te g ra tio n , and v u ln e ra b ility analysis o f y o u r s e c u rity p o s tu re w ith fe a tu re s

t h a t e n h a n c e u s a b i l i t y , e f f e c t i v e n e s s , e f f i c i e n c y , a n d c o m m u n i c a t i o n w i t h a ll p a r t s o f y o u r
o rg a n iz a tio n .
FIGURE 12.18: Nessus Screenshot


Session Hijacking CEH
Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid
session cookies and IDs
Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
burp su ite f re e e d itio n v 1 A 0 1 l‫ ־‬l ° W

J curp intruder repeater window about
laiget s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts
ig not found items hiding CSS image and gereral aina rr content 1iS -g .l«-e=pcn=e= hiding empty folders
http :Aleco no mi dim e 5 indiatime s o host MIME typi

hltpVJedition cnn 00m 9 ht*p Aedtar c ;‫׳״‬ HTML‫־‬
/»8n«nr5s1/3<lsj»3m cs;
°‫• ם ־‬wrr *------ -—
I "1 http iVedition c
add item to 9cope
cpiaortnis branch
adfaely scan this branch
passively scan this branch
engagem ent took [pro version onlf]
compare site m aps
*ipand branch 5: ‫ נ פ‬0 ‫ר‬ reaueat
oxpana rcquoctca noms
‫י‬¥‫ |~־‬param s headers [ r*x |
delete branch
copy URL# in this blanch
T / . • L « »«nc
T P / 1 .1
.'*11
/ m r 1 ‫ ׳‬b r e a J c i n g n • ? • / 3 . 0 / b a n n e r . n tro l ?cm h d»c*11
copy nnK3 in tnis orancn 8c: e d i t ion.cnn.c o »

ec-laent: Kcsilid/S.O 1Vind0¥3 I1T 6.2; W0V61; uv:lS.QI
save selected items c k o / :0 1 0 0 1 0 1 r i r r f o x / L 5 . 0 . J
I A c c e p t: t r x t / j « v o 3 c c i p c , t e x t / h t n L , « p p L i c o t i o n / x m l , t e x t / x m l ,
| 0 matches
I : ‫|]׳ ־‬
http://portswigger.net
N o t e : F o r c o m p le t e c o v e r a g e o f S e s s io n H ija c k in g c o n c e p t s a n d te c h n iq u e s r e f e r t o M o d u le 1 1 : S e s s io n H ija c k in g
C o p y rig h t © b y EG -G (U ncil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Web Server Attack Methodology: Session Hijacking

1 1 S e s s io n h ija c k in g is p o s s ib le once th e c u rre n t s e s s io n of th e c lie n t is id e n tifie d .
C o m p le te c o n tro l of th e user s e s s io n can be ta k e n over by th e a tta c k e r once th e user
e s ta b lis h e s a u t h e n tic a tio n w it h th e s e rv e r. W it h th e h e lp o f s e q u e n c e n u m b e r p re d ic tio n to o ls ,
a tta c k e rs p e rfo rm s e s s io n h ija c k in g . T h e a tta c k e r , a f t e r id e n t if y in g t h e o p e n s e s s io n , p r e d ic ts
th e sequence num ber of th e next packet and th e n sends th e d a ta p a c k e ts b e fo re th e
le g itim a te user sends th e response w ith th e c o rre c t sequence n u m b e r. Thus, an a tta c k e r
p e rfo rm s s e s s io n h ija c k in g . In a d d itio n to th is te c h n iq u e , you can a ls o use o th e r s e s s io n
h ija c k in g te c h n iq u e s such as s e s s io n fix a tio n , s e s s io n s id e ja c k in g , c ro s s -s ite s c rip tin g , e tc . t o
c a p tu r e v a lid s e s s io n c o o k ie s a n d ID s. V a rio u s to o ls u s e d f o r s e s s io n h ija c k in g in c lu d e B u rp
S u ite , H a m s te r , F ire s h e e p , e tc .
B u r p S u ite
___ S o u r c e : h t t p : / / p o r t s w i g g e r . n e t
B u rp S u ite is a n in te g ra te d p la tfo rm fo r p e rfo rm in g s e c u rity te s tin g of w eb a p p lic a tio n s . Its
v a rio u s to o ls w o rk s e a m le s s ly to g e th e r to su p p o rt th e e n tire te s tin g p ro c e s s , fro m in itia l
m a p p in g and a n a ly s is of an a p p lic a tio n 's a tta c k s u rfa c e , th ro u g h to fin d in g and e x p lo itin g
s e c u rity v u ln e ra b ilitie s . T h e key c o m p o n e n ts o f B u rp S u ite in c lu d e p ro x y , sca n n e r, in tru d e r
t o o l, r e p e a te r t o o l, s e q u e n c e r t o o l, e tc .
b u r p s u it e f r e e e d i t i o n v 1 .4 .0 1
0- ^ 1‫־‬ x
b u rp in tru d e r r e p e a te r w in d o w about
ta rg e t s p id e r \ scanner [ in tr u d e r | re p e a te r [‫ ־‬s e q u e n c e r | decoder [ c o m p a re r [ o p tio n s | a le rts
s ite m a p \ scope |
Filter; h id in g n o t fo u n d ite m s ; h id in g C S S , im a g e a n d g e n e ra l b in a ry c o n te n t h id in g 4xx r e s p o n s e s ; h id in g e m p ty fo ld e rs
* ‫ ־‬h ttp 7 /e c o n o m ic tim e s in d ia tim e s .c o m host method URL p a ra m s s ta tu s length IMIME tj

typ<
9 h ttp ://e d itio n .c n n .c o m 200 676 HTML
GET / e le m e n t/s s i/a d s .ifr a m e s /
0‫□ ־‬.el(
□ http://editi0n.cnn.c0m/.element □
D ‫׳‬
o- 2]20 add ite m to s c o p e
spider this branch
a c tiv e ly s c a n th is b ra n c h
p a s s iv e ly s c a n th is b ra n c h
O- CDBU
O- D cn e n g a g e m e n t to o ls [p ro v e rs io n o n ly] ►
0‫ □ ־‬E L I c o m p a re s ite m a p s
0‫ ־‬O eu e x p a n d b ra n c h sponse re q u e s t
e x p a n d re q u e s te d Ite m s
M ‫' ]־‬ p a ra m s ■' h e a d e rs | hex |
d e le te b ra n c h
T / . e l e r o e n c / 3 3 i / i n c l / b r e a k i n g _ n e v s / 3 . O /b a n n e r . h c m l? c s i I D = c s i i
c o p y U R L s In th is b ra n c h T P /1 .1
c o p y lin k s in th is b ra n c h
3c: ed ic io n .c n n .c o m
e r - A g e n c : H o z i l l a / 5 . 0 ( W i n d o w s NT 6 . 2 ; WOW64; c v : i 5 . 0 )
*‫ ־‬LJ SH s a v e s e le c te d Ite m s cko/2 0 1 0 0 1 0 1 F i r e f o x / 1 5 .0 .1
A ccepc: c e x c / j a v a a c r lp c , c e x c/h cro l, a p p llc a C lo n /x m l, c e x c /x m l.
FIGURE 12.19: Burp Suite Screenshot


Hacking Web Passwords
Brutus - AET2 - www.hoobie.net/brutus - (January 2000) 1~ I ‫ם‬ x
Use password cracking
File lo o ls Help
techniques such as brute
force attack, dictionary Target |10.0017| Type I HTTP (Basic Auth) ▼| Start | Stop | Deaf |
attack, password guessing to Connection Options
crack Webserver passwords Connections *"‫ ־‬J~ 10 Timeout 1" j - r Use Proxy Define
Use tools such as Brutus, HTTP (Basic) Options

THC-Hydra, etc. Method | HEAD ]▼J W KeepAive
Authentication Options
W Use Username Sngle User Pass Mode |Word List
User File users txt Browse | File |words.txt
Positrve Authentication Results

Target _U ype I Username I Password
10.0 0 1 7 / HTTP (Basic Auth) admin academic
10.0 0 1 7 / HTTP (Basic Auth) backup
Located and nstaled 1 authentication plugnns

Imtialisng...
Target 10.0 0 1 7 venfied
Opened user fie containing 6 users
Opened password fie conta*wvg 818 Passwords
Maxrrtum number ot authentication attempts wJ be 4908
Engagng target 10.0.017 with HTTP (Basic Auth)
T n ■irwi • irofrt am o
Timeout Reject Auth Seq Throttle Quick Kill
http://www.hoobie.net
Web Server Attack Methodology: Hacking Web

Passwords
One o f th e m a in tasks o f any a tta c k e r is passw ord hacking. By hacking a passw ord, th e a tta c k e r
gains c o m p le te c o n tro l o v e r th e w e b server. V a rio u s m e th o d s used by a tta cke rs fo r passw ord
hacking in clu d e p a s s w o rd guessing , d ic tio n a ry a tta c k s , b ru te fo rc e a tta c k s , h y b rid a tta c k s ,
s y lla b le a tta c s k , p re c o m p u te d hashes, ru le -b a s e d a tta c k s , d is tr ib u te d n e tw o rk a tta c k s ,
r a in b o w a tta c k s , etc. Passw ord cracking can also be p e rfo rm e d w ith th e he lp o f to o ls such as
B rutus, TH C -H ydra, etc.
B ru tu s
O :‫כ ב‬
1 Source: h ttp ://w w w .h o o b ie .n e t
B ru tus is an o n lin e o r re m o te p assw ord cracking to o ls . A tta c k e rs use th is to o l fo r hacking w e b

p assw ords w ith o u t th e k n o w le d g e o f th e v ic tim . The fe a tu re s o f th e B rutus to o l are been
e xp la in e d b rie fly on th e fo llo w in g slide.

_ ‫ם‬
Brutus - AET2 ‫ ־‬www.hoobie.net/brutus ‫( ־‬January 2000)
File J o o ls H elp
Target |10.0.0.17| Type | HTTP(BasicAu(h) ▼

~| Star( j Stop Clear
Connection Options
Port 180 10 Timeout r T 10 r Use Proxy Define
HTTP(Basic) Options
Method [HEAD WKeepAlive
Authentication Options—
Use Username I- Single User Pass Mode f
User File users.txt Browse Pass File Browse
PositiveAuthentication Results
Target Type Username Password
10.0.0.17/ HTTP(BasicAuth) admin academic
10.0.0.17/ HTTP(BasicAuth) backup
Located and installed 1authentication plug-ins

Initialising...
Target 10.0.0.17 verified a
Opened user filecontaining 6users.
Opened password filecontaining 818 Passwords.
Maximumnumber of authentication attempts will be 4908
Engaging target 10.0.0.17 withHTTP(BasicAuth)
T rm«n 1 arJrr.1►
‫•־‬ -
Timeout Reject AuthSeq Throttle QuickKill
FIGURE 12.20: Brutus Screenshot

M o d u le Flow CEH
Module Flow
The to o ls in te n d e d fo r m o n ito rin g and m anaging th e w e b se rve r can also be used by
a tta c k e rs fo r m a lic io u s purposes. In th is day and age, a tta cke rs are im p le m e n tin g va rio u s
m e th o d s to hack w e b servers. A tta c k e rs w ith m in im a l kn o w le d g e a b o u t hacking usually use
s fo r hacking w e b servers.
A tta c k M e th o d o lo g y W ebserver A ttack Tools

0
W e b s e rv e r Pen T e s tin g W e b s e r v e r S e c u rity T o o ls

o
- y P a tch M a n a g e m e n t m— C o u n te r-m e a s u re s
m—
This se ctio n lists and describes v a rio u s w e b se rve r a tta c k to o ls .
M o d u le 12 P ag e 1 6 5 4 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Webserver Attack Tools:

Metasploit
The Metasploit Framework is a penetration testing to o lkit, exploit development platform, and research tool
that includes hundreds of working remote exploits for a variety of platforms
It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak
passwords via Telnet, SSH, HTTP, and SNM
®
(J)m
m eetasplo
t it
fe V ModutM Tag* Q Atporto ‫־‬ T a li 0
w m
Target S y ilt tn Statu• O ptrabng Sy*t»rm (Top »)
• U McmolWMoM
• MOkom**4 • Mm
• I Sm—d • MKnaPnw
• I 100M
PTOftCl Activity (24 N o un ) Nctw oft S n v K t i (Top S)
• 2tC DCIW C
• I II M S K M t t
• )7 HETBOSS***(**
• n usn«‫׳‬us(Bvv^
• M U S A O P S ffw ctt
http://www.metasploit.com
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d
Web Server Attack Tools: Metasploit

S ource: h ttp ://w w w .m e ta s p lo it.c o m
The M e ta s p lo it fra m e w o rk m akes d isco ve rin g , e x p lo itin g , and sh a rin g v u ln e ra b ilitie s q u ick and
re la tiv e ly painless. It enable s users to id e n tify , assess, and e x p lo it v u ln e ra b le w e b a p p lica tio n s.
Using VPN p iv o tin g , yo u can run th e NeXpose v u ln e ra b ility scanner th ro u g h th e c o m p ro m is e d
w e b se rve r to d is c o v e r an e x p lo ita b le v u ln e ra b ility in a database th a t hosts c o n fid e n tia l
c u s to m e r data and e m p lo y e e in fo rm a tio n . Y our te a m m e m b e rs can th e n le ve ra g e th e d a ta
g a in e d to c o n d u c t social e n g in e e rin g in th e fo rm o f a ta rg e te d p h is h in g c a m p a ig n , o p e n in g up
n e w a tta c k v e c to rs on th e in te rn a l n e tw o rk , w h ic h are im m e d ia te ly visib le to th e e n tire te a m .
Finally, yo u g e n e ra te e x e c u tiv e and a u d it re p o rts based on th e c o rp o ra te te m p la te to ena b le
y o u r o rg a n iz a tio n to m itig a te th e atta cks and re m a in c o m p lia n t w ith Sarbanes O xley, HIPAA, o r
PCI DSS.
M e ta s p lo it enables te a m s o f p e n e tra tio n te s te rs to c o o rd in a te o rc h e s tra te d atta cks against

ta rg e t system s and fo r te a m leads to m anage p ro je c t access on a p e r-u s e r basis. In a d d itio n ,
M e ta s p lo it in clu de s c u s to m iz a b le re p o rtin g .
M e ta s p lo it e n a b le s y o u to :
© C o m p le te p e n e tra tio n te s t assignm ents fa s te r by a u to m a tin g re p e titiv e tasks and

le ve ra g in g m u lti-le v e l attacks

6 A ssess th e s e c u rity o f w e b a p p lic a tio n s , n e t w o r k a n d e n d p o in t s y s te m s , as w e ll as e m a il
u s e rs
0 E m u la te re a lis tic n e t w o r k a tta c k s b a s e d o n t h e le a d in g M e t a s p lo it f r a m e w o r k w it h m o r e
t h a n o n e m i l l i o n u n i q u e d o w n l o a d s in t h e p a s t y e a r
0 T e s t w it h t h e w o r ld 's la rg e s t p u b lic d a ta b a s e o f q u a lity a s s u re d e x p lo its
0 T u n n e l a n y tra ffic th ro u g h c o m p ro m is e d ta rg e ts to p iv o t d e e p e r in to th e n e tw o r k
0 C o lla b o ra te m o r e e ffe c tiv e ly w ith te a m m e m b e r s in c o n c e r t e d n e t w o r k t e s t s
© C u s to m iz e th e c o n t e n t a n d t e m p la t e o f e x e c u tiv e , a u d it, a n d te c h n ic a l re p o r ts
( J m e ta s p lo it
l«MlpnO L S*M*o«W0 V Ctfnpognt T ag* O R e p o rt! ~ TmJ‫ ״‬Q
Tiiftl System Statu* Operating Sy»lem» [Top »)
• MHonNMnocm
• M D n c o w fM
• l ‫׳‬MM • 2 • Konca P m t t
• 1 *LOOM) • 2•^0‫ז!ף‬0‫וז״‬ffntwOOcO
• 1 • HP «*rC*O0*0
Project Activity (24Hours) Nefwortc Services (Top ‫)צ‬
• 270 DCERPC Server*

• 1X4SM6Stokt*
• 3 7 -N £ T B O S S r< vcr*
• » ‫ ־‬MS‫ ׳‬T W ‫*״‬S(RV S ^ v c r *
• 20 • MCSÔO S r fv c r *
FIGURE 12.21: M etasploit Screenshot
Metasploit Architecture CEH

C«rt1fW4 Itil 1(41 Nm Im
Rex
Custom plug-ins Protocol Tools

Framework-Core
^ Framework-Base ^
: A k"
Interfaces Modules
K 7 ‫ץ‬
mfsconsole Exploits
Security Tools
msfcli Payloads
Web Services
msfweb Encoders
Integration
msfwx NOPS
msfapi Auxiliary
Metasploit Architecture
The M e ta s p lo it fra m e w o rk is an o p e n -so u rce e x p lo ita tio n fra m e w o rk th a t is designed
to p ro v id e s e c u rity researchers and pen te s te rs w ith a u n ifo rm m o d e l fo r ra p id d e v e lo p m e n t o f
e x p lo its , payloads, e nco de rs, NOP g e n e ra to rs , and reconnaissance to o ls . The fra m e w o rk
p ro v id e s th e a b ility to reuse large chunks o f code th a t w o u ld o th e rw is e have to be co pied o r
re im p le m e n te d on a p e r-e x p lo it basis. The fr a m e w o r k w a s d e sig n e d to be as m o d u la r as
p o s s ib le in o rd e r to e n c o u ra g e th e reuse o f code across v a rio u s p ro je c ts . The fra m e w o rk its e lf
is b ro k e n d o w n in to a fe w d iffe r e n t pieces, th e m o s t lo w -le v e l being th e fra m e w o rk core. The
fra m e w o rk co re is re sp o n sib le fo r im p le m e n tin g all o f th e re q u ire d in te rfa c e s th a t a llo w fo r
in te ra c tin g w ith e x p lo it m o d u le s , sessions, and plugins. It s u p p o rts v u ln e ra b ility research,
e x p lo it d e v e lo p m e n t, and th e c re a tio n o f cu sto m s e c u rity to o ls.

A Libraries
‫ץ‬
Rex
C u s to m p lu g -in s < P r o t o c o l T o o ls
F ra m e w o rk-C o re
^ F ra m e w o rk -B a s e ^
:‫<־‬ <•:
In te rfa c e s M o d u le s
/ \
m fs c o n s o le E x p lo its
S e c u r it y T o o ls
m s fc li P a y lo a d s
W e b S e rv ic e s
m s fw e b E n co d e rs
In te g ra tio n
m s fw x NOPS
m s fa p i A u x ilia ry
FIGURE 12.22: M etasploit Architecture

Metasploit Exploit Module CEH
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
This module comes with simplified meta-information fields
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
S teps to exploit a system follow th e M etasp lo it Fram ew ork
Configuring Active Exploit
_
Selecting a Target
&
Metasploit Exploit Module

-1 1 1 i i The e x p lo it m o d u le is th e basic m o d u le in M e ta s p lo it used to e n ca p su la te an e x p lo it
using w h ic h users ta rg e t m a ny p la tfo rm s w ith a single e x p lo it. This m o d u le com es w ith
s im p lifie d m e ta - in fo r m a tio n fie ld s . U sing a M ix in s fe a tu re , users can also m o d ify e x p lo it
b e h a v io r d y n a m ic a lly , p e rfo rm b ru te fo rc e attacks, and a tte m p t passive e xp lo its.
F o llo w in g are th e steps to e x p lo it a system using th e M e ta s p lo it fra m e w o rk :
© C o n fig u rin g A c tiv e E xplo it
© V e rify in g th e E xp lo it O p tio n s
© S electing a T a rg et
© S electing th e Payload
© Launching th e E xplo it

Metasploit Payload Module

j Payload module establishes a com m unication channel between the M etasploit fram ew ork and the victim host
J It combines the arbitrary code tha t is executed as the result o f an exploit succeeding
J To generate payloads, first select a payload using the command:
9S C om m and P rom pt
m sf > use w in d o w s /s h e ll_ r e v e r s e _ tc p
m s f p a y lo a d ( 3 h e ll_ r e v e r s e _ tc p ) > g e n e ra te -h
U sage: g e n e ra te [o p tio n s ]
G e n e r a te s a p a y lo a d .
-b < o p t> The lis t o f c h a r a c te r sto a v o id : , \x 0 0 \x ff'

-e < o p t> The n am e of t h e e n c o d e r m o d u le t o u se.
-h H e lp b a n n e r .
- o < o p t > A comma s e p a r a t e d lis t o f o p tio n s in

VAR=VAL f o r m a t .
-s < o p t> NOP s le d le n g t h .
-t < o p t> The o u tp u t t y p e : ru b y , p e r i, c , or raw .
m sf p a y lo a d ( s h e l l r e v e r s e tcp ) >
Metasploit Payload Module

The M e ta s p lo it pa yload m o d u le o ffe rs sh ellcode th a t can p e rfo rm a num ber of
in te re s tin g tasks fo r an a tta c k e r. A payload is a piece o f s o ftw a re th a t lets you c o n tro l a
c o m p u te r system a fte r its been e x p lo ite d . The p a y lo a d is ty p ic a lly a tta c h e d to an d d e liv e re d
by th e e x p lo it. An e x p lo it carrie s th e payload in its backpack w h e n it b reak in to th e system and
th e n leaves th e backpack th e re .
W ith th e help o f payload , you can u p lo a d and d o w n lo a d file s fro m th e system , ta ke

scree nsh ots, and c o lle c t pa ssw ord hashes. You can even ta ke o v e r th e screen, m ouse, and
k e y b o a rd to fu lly c o n tro l th e c o m p u te r.
To g e n e ra te payloads, fir s t se le ct a p ayload using th e c o m m a n d :
M o d u le 12 Page 1660 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

; Com m and P ro m p t
m sf > u s e w in d o w s /s h e ll r e v e r s e tc p
m sf p a y lo a d ( s h e ll_ r e v e r s e _ tc p ) > g e n e ra te -h
U sag e: g e n e ra te [o p tio n s ]
G e n e ra te s a p a y lo a d .
O P T IO N S :
- b < o p t> The l i s t o f c h a r a c te r s to a v o id :, \x 0 0 \ x f f '

- e < o p t> T he nam eo f t h e e n c o d e r m o d u le t o u se.
- h H e lp b a n n e r .
- o < o p t > A com m a s e p a r a t e d l i s t o f o p tio n s in
VAR=VAL f o r m a t .
- s < o p t> NOP s l e d le n g th .
-t < o p t> The o u tp u t ty p e : ru b y , p e ri, c, o r ra w .
m sf p a y lo a d ( s h e l l r e v e r s e tc p ) >
FIGURE 12.23: M etasploit Payload Module

Metasploit Auxiliary Module CEH
J M etasploit's auxiliary m odules can be used to p erform arb itra ry , one-

off actions such as port scanning, denial of service, and even fuzzing
J To run auxiliary m odule, eith er use th e r u n com m and, o r use th e

e x p l o i t com m and
C om m and P ro m p t
msf > use dos/windows/smb/ms06_035_mailslot

msf auxiliary(ms06_035_mailslot) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(ms06_035_mailslot) > run
[*] Mangling the kernel, two bytes at a time...
Metasploit Auxiliary Module

M e ta s p lo it's a u x ilia ry m o d u le s ca n be u se d to p e r fo r m a rb itr a ry , o n e - o ff a c tio n s su ch
as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g . T o ru n a u x ilia r y m o d u le , e it h e r u se t h e ru n
c o m m a n d o r use th e e x p lo it c o m m a n d .

All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Metasploit NOPS Module CEH

C«rt1fW4 itfciul Nm Im
NOP modules generate a no-operation instructions used fo r blocking o u t buffers

Use g e n e r a t e com m and to generate a NOP sled o f an arbitrary size and display it in a given form at
OPTIONS:
- b < o p t> : The list of characters to avoid: '\x00\xff'
- h : Help banner.
- s < o p t> : The comma separated list of registers to save.
- t < o p t> : The output type: ruby, peri, c, or raw
m sf n o p (o p ty 2 )>
T o g e n e r a t e a 5 0 b y t e N O P s le d t h a t is d is p la y e d a s a
Generates a NOP sled of a given length
C - s ty le b u f f e r , r u n t h e f o l l o w i n g c o m m a n d :
& Command Prompt □ Command Prompt

m s f n o p (o p ty 2 ) > g e n e ra te - t c 50
m sf > u se x 8 6 /o p ty 2
u n s ig n e d c h a r b u f [ ] —
m sf n o p (o p ty 2 ) > g e n e r a te -h " \ x f5 \ x 3 d \ x 0 5 \ x l5 \ x f 8 \ x 6 7 \x b a \ x 7 d \ x 0 8 \ x d 6 \ x 6
6 \ x 9 f \x b 8 \x 2 d \x b 6 "
U sage: g e n e r a te [o p tio n s ] le n g th
M\ x 2 4 \ x b e \ x b l \ x 3 f \ x 4 3 \ x l d \ x 9 3 \ x b 2 \ x 3 7 \ x 3 5 \ x 8
4 \ x d 5 \ x l4 \ x 4 0 \ x b 4 "
‫\ ״‬x b 3 \x 4 1 \x b 9 \x 4 8 \x 0 4 \x 9 9 \x 4 6 \x a 9 \x b 0 \x b 7 \x 2
f \x fd \x 9 6 \x 4 a \x 9 8 "
n\x 9 2 \x b 5 \x d 4 \x 4 f\x 9 1 " ;
m s f n o p (o p ty 2 ) >
Metasploit NOPS Module

M e ta s p lo it N O P m o d u le s a re u se d to g e n e ra te n o o p e ra tio n in s tru c tio n s th a t ca n be
used fo r p a d d in g o u t b u ffe rs . T he N O P m o d u le c o n s o le in te rfa c e s u p p o rts g e n e ra tin g a NOP
s le d o f a n a r b i t r a r y s iz e a n d d i s p l a y i n g i t in a g i v e n f o r m a t .
o p t io n s :
-b < o p t> T h e lis t o f c h a r a c t e r s t o a v o id : ? \ x 0 0 \ x f f ?
-h H e lp b a n n e r.
-s < o p t > T he c o m m a s e p a ra te d lis t o f r e g is te r s t o sa ve .
-t < o p t> T he o u tp u t ty p e : ru b y, p e r i, c, o r r a w .
G e n e r a te s a N O P s le d o f a g iv e n le n g th

To g e n e ra te a 5 0 -b y te NOP s le d th a t is d is p la y e d as a C‫־‬s ty le b u ffe r, run th e fo llo w in g
com m and:
m sf n o p (o p ty 2 ) > g e n e ra te -t c 50
u n sig n e d c h a r b u f[] =
"\x f5 \x 3 d \x 0 5 \x l5 \x f8 \x 6 7 \x b a \x 7 d \x 0 8 \x d 6 \x 6
6 \x 9 f \x b 8 \x 2 d \x b 6 "
"\x 2 4 \x b e \x b l\x 3 f\x 4 3 \x ld \x 9 3 \x b 2 \x 3 7 \x 3 5 \x 8
4 \x d 5 \x l4 \x 4 0 \x b 4 "
"\x b 3 \x 4 1 \x b 9 \x 4 8 \x 0 4 \x 9 9 \x 4 6 \x a 9 \x b 0 \x b 7 \x 2
f\x fd \x 9 6 \x 4 a \x 9 8 "
"\x 9 2 \x b 5 \x d 4 \x 4 f\x 9 1 ";
m sf n o p (o p ty 2 ) >
Figure 12.25: M etasploit NOPS Module

Webserver Attack Tools: Wfetch I CEH

WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and
response data
It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or
wireless protocols
w fe ic fi - w te tc n i
File Edit View Window Help
f l
Verb: [GET ‫ |■ י‬host [localHost

AdvancedRequest:
fDuabled I- fromfile
Path Y
J
Authentcation ComecfcOT
l_ C 0 J
fifth. Anonymous -d Cornsct
*d aJt !race
Qphcr
Qoirah. J P R»x
Gent ceil: J J
Popw d: r P«c5y |60 P Reu«
Log Output [Last Status: 500 Internal Server Error;

£ > started....
O Puny: WWWConnecfcCtose(‫"״‬,‫*״‬
© closed source port: 7 i9 8 \r\n
© k'VWWConnectiConnectl 'locaihost '8 0')\n
QlPa"|;;1].80"\n
http://www.microsoft.com
Web Server Attack Tools: Wfetch

Source: h ttp ://w w w .m ic r o s o ft.c o m
W fe tc h is a g ra p h ic a l u s e r-in te rfa c e a im e d a t h e lp in g c u s to m e rs resolve p ro b le m s re la te d to

th e b ro w s e r in te ra c tio n w ith M ic ro s o ft's IIS w e b server. It a llo w s a c lie n t to re p ro d u c e a
p ro b le m w ith a lig h tw e ig h t, v e ry H T T P -frie n d ly te s t e n v iro n m e n t. It a llo w s fo r ve ry g ra n u la r
te s tin g d o w n to th e a u th e n tic a tio n , a u th o riz a tio n , cu sto m headers, and m uch m ore.

wfetch ‫ ־‬Wfetchl
£1le £d!t yiew Window Help
i) O £ &
Wfetchl SS■
A d v a n c e d R equest
ye»t> |G E T Host |k>ca»x>st j . j E o r t |d rfa ‫ » ״‬j - J V c r |1 1 2 \
Disabled )‫ {^־־־‬r
fomHe
P ath: | /
. \ jt h e r t c a t 10n C o n n e ctio n
G o' |
A uth l/V io n ym o o s C onnect h ttp ^ J 2 I
Tran s o --------
C om an | C ipher d e fa u l - ]
R? Raw
U se r | C k e n tc e rt none _>J
r S ocke t
P a js w d | r P ro jy tg p ro x y ^80 P R euse
L o g O u t p u t [L a s t S ta tu s : S00 In te r n a l S e rv e r E rro r]
‫ ► ־‬started....
O Proxy; WWWConnect::Close(” ,"80")\n
£ closed source port 7398\r\n
4 ) WWWConnect::ConnectClo<alhost".8‫<״‬r)\n
0 >= ‫]־‬::1[:80‫ \־‬n
Ready NUM
Figure 12.26: W fetch Screenshot

Web Password Cracking Tool: Brutus

S o u rce : h ttp ://w w w .h o o b ie .n e t
B r u t u s is a r e m o t e p a s s w o r d c r a c k e r ' s t o o l . I t is a v a i l a b l e f o r W i n d o w s 9 x , N T . a n d 2 0 0 0 , t h e r e
is n o U N I X v e r s i o n a v a i l a b l e , a l t h o u g h i t is a p o s s i b i l i t y a t s o m e p o i n t i n t h e f u t u r e . B r u t u s w a s
w r it t e n o rig in a lly t o h e lp c h e c k r o u te r s f o r d e fa u lt a n d c o m m o n p a s s w o rd s .
F e a tu re s
© H T T P (B a s ic A u t h e n t i c a t i o n )
e HTTP (H T M L F o rm /C G I)
e POP3
e FTP
e SMB
© T e ln e t
© M u lti- s ta g e a u t h e n tic a tio n e n g in e
0 N o u s e r n a m e , s in g le u s e r n a m e , a n d m u lt ip le u s e r n a m e m o d e s
0 P a s s w o r d lis t, c o m b o ( u s e r / p a s s w o r d ) lis t a n d c o n f i g u r a b l e b r u t e f o r c e m o d e s

© H ighly c u s to m iz a b le a u th e n tic a tio n sequences
© Load and re sum e p o s itio n
© Im p o rt and E xpo rt c u s to m a u th e n tic a tio n ty p e s as BAD file s seam lessly
© SOCKS p ro x y s u p p o rt fo r all a u th e n tic a tio n typ e s
© User and passw ord list g e n e ra tio n and m a n ip u la tio n fu n c tio n a lity
© HTM L Form in te rp re ta tio n fo r HTM L Form /C G I a u th e n tic a tio n typ e s
© E rror h a n d lin g and re c o v e ry c a p a b ility inc. resum e a fte r c ra s h /fa ilu re
Brutus - AET2 ‫ ־‬www.hoobie.net/brutus - (January 2000) I 1‫ ־־‬. ‫ם‬ *

Eile Iools Help
Target [10001 ^ Type |HTTP (Basic Auth) j*J Start Clear
Connection Options
Port [80 Connections *0‫י‬ ‫( ־‬ Trneout r j‫־‬ 10 ‫ך־ך־‬ r U**Ptoxy Drinc |
HTTP (Basic) Options
Method |HEAD ]»] & Ke^pAWe
Authentication Options
W Use Username I- Single Usei 0
Pass Mode |W »d List
User Fte ]users txt Browse | pjg [words bd Browse |
Positive Authentication Resiits

Target Username Password
100017/ HTTP (Basic Auth) adrran academic
100017/ HTTP (Basic Auth) backup
Located and installed 1 authentication ptug-ns

Initiafcng
Target 10.0.0.17 verified
Opened user file contarmg 6 users
Opened password file containing 818 Passwords
Maximum number of authentication attempts w i be 4906
Engagng target 10.0.0.17 with HTTP (Basic Auth)
Tmws<1»1» w iw
Throttle
Figure 12.27: Brutus Screenshot

‫ר‬
Web Password Cracking Tool:

THC-Hydra CEH
Urt1fw4 ilhiul lUtbM
■ A very fast network logon cracker that support many different services
B ' xHydra
Target Passwords Tuning Specific Start Target Passwords Tuning Specific Start
Target Output
Hydrav7.1 (c)2011 by vanHauser/THC& David Maciejak- for legal purposes J
® SingleTarget
Hydra (http://www.thc.org/thc hydra) startingat 2012-10-2117:01:09
[DEBUG] cmdline:/usr/bin/hydra-S -v-V-d-I Administrator-P/home/ •VDes
Q Target List [DATA] 4 tasks, 1server, 4 login tries (l:1/p:4), ~1 try per task
[DATA) attackingservice rdp on port 3389
C Prefer IPV6 [VERBOSE] Resolvingaddresses...
[DEBUG] resolving 192.168.168.1
done
Port [DEBUG] Code: attack Time: 13S0819069
[DEBUG] Options: mode 1 ssl 1 restore 0 showAttempt 1 tasks 4 maxjjse*
[DEBUG] Drains: active 0 targets 1 finished 0 todo_all4 todo4 seotO founc
Protocol rdp [DEBUG] TargetO-target 192.168.168.1 ip 192 168.168.1 login_nowpass_nc
[debug] Task 0*pld 0 active 0 redo 0 current_logln_ptr (null) current.pass.
Output Options [DEBUG] Task 1 pidO active 0 rcdoO currcnt_login_ptr (null) currentj>ass_
[DEBUGJ Task 2•pid 0 active 0 redo 0 current_login_ptr (null) current_pass_
[debug] Task 3‫־‬pld 0 active 0 redo 0 current_logln_ptr (null) current_pass_
& UseSSL [ BeVerbose [WARNING] rdp servers often don't like many connections, use-t 1or -t 4to r
[VERBOSE^ More tasks defined than login/pass pairs exist. Tasksreduced to
[DEBUG] head_no[0] active 0
[DEBUGJ child 0got target 0selected
0 ShowAttempts © Debug [DEBUG] headnofi] active 0
Start Stop !SaveOutput Clear Output
hydra-S-v-V d-IAdministrator-P/home/ /Desktop/pass 116192.16.. hydra -S v-V d -I Administrator -P/home/ Desktop/pass 116192.16...
http://www.thc.org
/ * Web Password Cracking Tool: THC-Hydra

Source: h ttp ://w w w .th c .o r g
TH C-Hydra is used to check fo r w e a k passw ords. This to o l is a b ru te fo rc e to o l th a t is used by

a tta c k e rs as w e ll as a d m in is tra to rs . Hydra can a u to m a tic a lly crack e m a il p a s sw o rd s an d gain
access to ro u te rs , W in d o w s system s, and te ln e t o r SSH p ro te c te d servers. It is a v e ry fa st
n e tw o rk log o n c ra cke r th a t s u p p o rts m any d iffe re n t services.

O O ® xH ydra
T arget P assw o rd s Tuning Specific S ta rt

Target
192.168.168.1
O T arget List
□ P refer IPV6
P o rt
P ro to co l rdp
O utput O ptions
Use SSL
hydra -S -v -V -d -I A d m in istrato r -P /h o m e / /D e sk to p /p a ss -t 16192.16.
oe<; !> xHydra
Target Passw ords Tuning Specific S ta rt

O utput
Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak ‫ ־‬for legal p u rp o ses J
Hydra (http://w w w .thc.org/thc-hydra) startin g a t 2012-10-21 17:01:09
[DEBUG] cm dline:/usr/bin/hydra -S-v-V -d -I A d m in istra to r-P /h o m e / »7Des
[DATA] 4 task s, 1 server, 4 login tries (l:1/p:4), ~1 try p er task
[DATA] attacking service rdp on p o rt 3389
[VERBOSE] Resolving a d d r e s s e s ...
[DEBUG] resolving 192.168.168.1
done
[DEBUG] Code: a tta c k Time: 1350819069
[DEBUG] O ptions: m o d e 1 ssl 1 re s to re 0 sh ow A ttem pt 1 task s 4 m ax_use <
[DEBUG] Brains: active 0 ta rg e ts 1 finished 0 to d o _ all4 to d o 4 sentO founc
[DEBUG] Target 0 - ta rg e t 192.168.168.1 ip 192.168.168.1 lo g in n o & p a s s n c
[DEBUG] Task 0 -p id 0 active 0 redoO current_login_ptr (null) current_pass_
[DEBUG]Task 1 -p id 0 a c tiv e 0 redoO current_login_ptr(null) current_pass
[DEBUG]Task2 -pidO a c tiv e 0 redoO current_login_ptr(null) current_pass_
[DEBUG]Task3 -p id 0 a c tiv e 0 redoO current_login_ptr(null) current_pass
[WARNING] rdp servers o ften d o n 't like many connections, use -t 1 o r -t 4 to r
[VERBOSE] M ore task s defined than login/pass pairs exist. Tasks reduced to
[DEBUG] child 0 go t ta rg e t 0 selected
hydra-S-v-V -d-I A d m in istra to r-P /h o m e/ ‫׳‬D e sk to p /p a ss-t 16 192.16...
F ig u re 1 2 .2 8 : T H C -H y d ra S c r e e n s h o t

Web Password Cracking Tool:

Internet Password Recovery Toolbox EH
Internet Password Recovery

Toolbox recovers p assw o rd s for
Internet brow sers, email clients,
instant m essengers, FTP clients,
netw ork and dial-up accounts
http;//www.rixlercom
Copyright © by E G -G *ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Web Password Cracking Tool: Internet Password

Recovery Toolbox
Source: h ttp ://w w w .r ix le r .c o m
In te rn e t Passw ord R ecovery T o o lb o x is a co m p re h e n s iv e s o lu tio n fo r re c o v e rin g passw ords fo r

In te rn e t b ro w s e rs , e m a il clie n ts, n s ta n t m essengers, and FTP slients, It can co ve r n e tw o rk and
d ia l-u p a c c o u n ts an d can be used in th e w h o le area o f In te rn e t c o m m u n ic a tio n lin k s . This
p ro g ra m o ffe rs in s ta n ta n e o u s p assw ord re c o v e ry c a p a b ilitie s fo r a lm o s t e ve ry In te rn e t
a p p lic a tio n you e x p e c t it to p ro v id e : you nam e it, th e p ro g ra m has it.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers
Module 12 Page 1672 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.
Hacking Webservers
M o d u le F lo w CE H
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
M o d u l e F l o w
So f a r , w e h a v e d i s c u s s e d w e b s e r v e r c o n c e p t s , t e c h n i q u e s u s e d b y a t t a c k e r s , a t t a c k
m e t h o d o l o g y , a n d t o o l s t h a t h e l p in w e b s e r v e r . A ll t h e s e c o n c e p t s h e l p in b r e a k i n g i n t o t h e
w e b s e r v e r o r c o m p r o m i s i n g w e b s e r v e r s e c u r i t y . N o w i t ' s t i m e t o d is c u s s t h e c o u n t e r m e a s u r e s
t h a t h e l p in e n h a n c i n g t h e s e c u r i t y o f w e b s e r v e r s . C o u n t e r m e a s u r e s a r e t h e p r a c t i c e o f u s i n g
m u ltip le s e c u rity s y s te m s or te c h n o lo g ie s to p re ve n t in tru s io n s . These a re th e key
c o m p o n e n ts fo r p ro te c tin g a n d s a fe g u a rd in g th e w e b s e rv e r a g a in s t w e b s e rv e r in tru s io n s .
1 W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y ^ W e b s e rv e r A tta c k T o o ls
^ W e b s e rv e r Pen T e s tin g ^ __ ^ W e b s e r v e r S e c u rity T o o ls
■y P a tch M a n a g e m e n t —
■—► C o u n te r-m e a s u re s
■—

Hacking Webservers
T h is s e c t i o n h i g h l i g h t s w e b s e r v e r c o u n t e r m e a s u r e s t h a t p r o t e c t w e b s e r v e r s a g a i n s t v a r i o u s
a tta c k s .

Hacking Webservers
Countermeasures: Patches and

Updates CEH
Urt1fw4 ilhiul lUtbM
Scan fo r existing vulnerabilities, patch, Before applying any service pack, hotfix, or
and update the server softw a re security patch, read and peer review all
regularly relevant documentation
Apply all updates, regardless o f th e ir type Test the service packs and hotfixes on a
on an "as-needed" basis representative non-production environment
prior to being deployed to production
Ensure tha t service packs, hotfixes, and Ensure that server outages are scheduled
security patch levels are consistent on all and a complete set of backup tapes and
Dom ain C ontrollers (DCs) emergency repair disks are available
Have a back-out plan th a t allows the Schedule periodic service pack upgrades as
system and enterprise to return to th e ir part of operations maintenance and never
original state, p rio r to th e failed try to have more than tw o service packs
im ple m en tation behind
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n t e r m e a s u r e s : P a t c h e s a n d U p d a t e s
T h e f o llo w in g a re a f e w c o u n te r m e a s u r e s t h a t can be a d o p t e d t o p r o t e c t w e b s e rv e rs
a g a in s t v a rio u s h a c k in g te c h n iq u e s :
© Scan f o r e x is tin g v u ln e r a b ilit ie s a n d p a tc h a n d u p d a te t h e s e r v e r s o f t w a r e re g u la rly .
© A p p l y all u p d a t e s , r e g a r d l e s s o f t h e i r t y p e , o n a n " a s - n e e d e d " ba s is .
© E nsure t h a t s e rv ic e packs, h o tfix e s , and s e c u rity p a tc h le v e ls a re c o n s is te n t o n all

D o m a i n C o n t r o l l e r s (DCs). E n s u r e t h a t s e r v e r o u t a g e s a r e s c h e d u l e d a n d a c o m p le te set
o f b a c k u p t a p e s a n d e m e r g e n c y r e p a i r d is k s a r e a v a i l a b l e .
© H ave a b a c k - o u t p la n t h a t a llo w s th e s y s te m a n d e n te r p r is e t o r e t u r n t o t h e ir o rig in a l

s ta te , p r io r t o th e fa ile d im p le m e n ta tio n .
© B e f o r e a p p l y i n g a n y s e r v i c e p a c k , h o t f i x , o r s e c u r i t y p a t c h , r e a d a n d p e e r r e v i e w all
re le v a n t d o c u m e n ta tio n .
© T e s t th e s e rv ic e packs a n d h o tfix e s o n a r e p r e s e n ta tiv e n o n - p r o d u c t io n e n v ir o n m e n t

p r io r to b e in g d e p lo y e d to p r o d u c tio n .
© E nsure t h a t s e rv e r o u ta g e s a re s c h e d u le d a n d a c o m p le te s e t o f b a c k u p ta p e s and
e m e r g e n c y r e p a i r d is k s a r e a v a i l a b l e .
© S c h e d u l e p e r i o d i c s e r v i c e p a c k u p g r a d e s as p a r t o f o p e r a t i o n s m a i n t e n a n c e a n d n e v e r
t r y t o h a v e m o r e th a n t w o s e rv ic e packs b e h in d .

Hacking Webservers
C o u n te rm e a s u re s : P ro to co ls C EH
(•itifwd 1 ItlMUl IlMhM
Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and
unnecessary protocols such as NetBIOS and SMB
Harden th e TCP/IP stack and consistently apply th e latest softw a re patches and
updates to system softw a re
9 If using insecure protocols such as Telnet, POP3, SMTP, FTP, take appropriate measures to
provide secure authentication and communication, for example, by using IPSec policies
S If remote access is needed, make sure tha t the remote connection is secured properly,
by using tunneling and encryption protocols
S Disable WebDAV if not used by the application or keep secure if it is required
C o u n t e r m e a s u r e s : P r o t o c o l s
_ _ The fo llo w in g a re th e som e m easures th a t s h o u ld be a p p lie d to th e re s p e c tiv e

p r o t o c o l s in o r d e r t o p r o t e c t w e b s e r v e r s f r o m h a c k i n g :
© B lo c k all u n n e ce ssa ry p o rts, In te rn e t C o n tro l Message P ro to c o l (IC M P ) tr a ffic , and

u n n e c e s s a r y p r o t o c o l s s u c h as N e t B I O S a n d S M B .
Q H a r d e n t h e T C P /I P s t a c k a n d c o n s i s t e n t l y a p p l y t h e l a t e s t s o f t w a r e p a t c h e s a n d u p d a t e s
t o th e s y s te m s o ftw a re .
0 If u s i n g in s e c u re p ro to c o ls such as T e l n e t , POP3, S M T P , or FTP, t a k e a p p ro p ria te

m e a s u r e s t o p r o v id e s e c u re a u th e n t ic a t io n a n d c o m m u n ic a t io n , f o r e x a m p le , b y u sin g
IPSec p o l ic i e s .
© If r e m o t e a c c e s s is n e e d e d , m a k e s u r e t h a t t h e r e m o t e c o n n e c t i o n is s e c u r e d p r o p e r l y ,
b y u s in g t u n n e lin g a n d e n c r y p t io n p r o to c o ls .
Q D is a b l e W e b D A V i f n o t u s e d b y t h e a p p l i c a t i o n o r k e e p s e c u r e i f i t is r e q u i r e d .

Hacking Webservers
C o u n te rm e a s u re s : A cco u n ts CEH
Remove all unused modules and application extensions
Disable unused default user accounts created during installation of an operating system
When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to
the anonymous user being used from the IIS web server to access the web content
Eliminate unnecessary database users and stored procedures and follow the principle of least
privilege for the database application to defend against SQL query poisoning
Use secure web permissions, NTFS permissions, and .NET Framework access control
mechanisms including URL authorization
Slow down brute force and dictionary attacks w ith strong password policies, and then audit
and alert for logon failures
Run processes using least privileged accounts as well as least privileged service and user
accounts
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
— ! — 1— 1
C o u n t e r m e a s u r e s : A c c o u n t s
111------------------J i l T h e f o l l o w i n g is t h e lis t o f a c c o u n t c o u n t e r m e a s u r e s f o r h a c k i n g w e b s e r v e r s :
Q R e m o v e all u n u s e d m o d u l e s a n d a p p l i c a t i o n e x t e n s i o n s .
© D is a b l e u n u s e d d e f a u l t u s e r a c c o u n t s c r e a t e d d u r i n g i n s t a l l a t i o n o f a n o p e r a t i n g s y s t e m .
© W h e n c r e a t i n g a n e w w e b r o o t d i r e c t o r y , g r a n t t h e a p p r o p r i a t e ( l e a s t p o s s i b l e ) NTFS
p e r m i s s i o n s t o t h e a n o n y m o u s u s e r b e i n g u s e d f r o m t h e IIS w e b s e r v e r t o a c c e s s t h e
w e b c o n te n t.
Q E lim in a te u n n e c e s s a ry d a ta b a s e u sers a n d s to r e d p r o c e d u r e s a n d f o l l o w t h e p r in c ip le o f
l e a s t p r i v i l e g e f o r t h e d a t a b a s e a p p l i c a t i o n t o d e f e n d a g a i n s t SQL q u e r y p o i s o n i n g .
© U se s e c u r e w e b p e r m i s s i o n s , NTFS p e r m i s s i o n s , a n d .N E T F r a m e w o r k a c c e s s c o n t r o l
m e c h a n i s m s i n c l u d i n g URL a u t h o r i z a t i o n .
© S l o w d o w n b r u t e f o r c e a n d d i c t i o n a r y a t t a c k s w i t h s t r o n g p a s s w o r d p o l ic i e s , a n d t h e n
a u d it a n d a le r t f o r lo g o n fa ilu re s .
Q R u n p r o c e s s e s u s i n g l e a s t p r i v i l e g e d a c c o u n t s as w e l l as l e a s t p r i v i l e g e d s e r v i c e a n d u s e r
a c c o u n ts .

Hacking Webservers
Countermeasures: Files and

Directories c EH
tertMM tt*H4i Nath*
Eliminate unnecessary files Disable serving o f d ire cto ry

w ith in the .jar files listings
Eliminate the presence o f non w eb

Eliminate sensitive c on figura tion files such as archive files, backup
info rm atio n w ith in the byte code files, te xt files, and header/include
files
Avoid mapping v irtu a l dire ctorie s

Disable serving certain file types
betw een tw o d iffe re n t servers, o r
by creating a resource m apping
over a netw ork
M onitor and check all network Ensure the presence of web

services logs, website access logs, \ application or website files and
database server logs (e.g., Microsoft scripts on a separate partition or
SQL Server, MySQL, Oracle) and OS drive other than that of the operating
logs frequently system, logs, and any other system files
Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n t e r m e a s u r e s : F i l e s a n d D i r e c t o r i e s
— T h e f o l l o w i n g is t h e lis t o f a c t i o n s t h a t s h o u l d b e t a k e n a g a i n s t f i l e s a n d d i r e c t o r i e s in
o r d e r t o p r o t e c t w e b s e rv e rs f r o m h a c k in g :
Q E lim in a te u n n e c e s s a r y file s w i t h i n . j a r file s .
© E lim in a te s e n s itiv e c o n fig u r a t io n i n f o r m a t i o n w it h in th e b y te c o d e .
© A v o id m a p p in g v ir tu a l d ir e c to r ie s b e tw e e n t w o d if f e r e n t s e rv e rs o r o v e r a n e tw o r k .
© M o n i t o r a n d c h e c k all n e t w o r k s e r v i c e s lo g s , w e b s i t e a c c e s s lo g s , d a t a b a s e s e r v e r lo g s
(e .g ., M i c r o s o f t SQL S e r v e r , M y S Q L , O r a c le ) , a n d OS lo g s f r e q u e n t l y .
© D is a b l e s e r v i n g o f d i r e c t o r y lis t in g s .
© E l i m i n a t e t h e p r e s e n c e o f n o n - w e b f i l e s s u c h as a r c h i v e file s , b a c k u p fil e s , t e x t f i l e s , a n d
h e a d e r / in c l u d e file s .
© D is a b l e s e r v i n g c e r t a i n f i l e t y p e s b y c r e a t i n g a r e s o u r c e m a p p i n g
© E nsure th e p re se n ce o f w e b a p p lic a tio n o r w e b s ite file s a n d s c rip ts o n a s e p a ra te

p a r t i t i o n o r d r i v e o t h e r t h a n t h a t o f t h e o p e r a t i n g s y s t e m , lo g s , a n d a n y o t h e r s y s t e m
file s

Hacking Webservers
How to Defend Against Web

Server Attacks CEH
‫צ‬ Audit the ports on server regularly to ensure that an insecure or unnecessary service
is not active on your web server
_ Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL)
£ Encrypt or restrict intranet traffic
s Ensure that certificate data ranges are valid and that certificates are used for their
intended purpose
S Ensure that the certificate has not been revoked and certificated public key is valid
all the way to a trusted root authority
S Ensure that protected resources are mapped to HttpForbiddenHandler and

unused HttpModules are removed
S Ensure that tracing is disabled ctrace enable=‫״‬false"/> and debug compiles are
turned off
‫ט‬ Implement secure coding practices to avoid source code disclosure and input validation attack
‫ט‬ Restrict code access security policy settings to ensure that code downloaded from the Internet
or Intranet have no permissions to execute
s Configure IIS to reject URLs with to prevent path traversal, lock down system commands
and utilities with restrictive access control lists (ACLs), and install new patches and updates
H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s
T h e fo llo w in g a re th e v a rio u s w a y s t o d e fe n d a g a in s t w e b s e rv e r a tta c k s :
rr m n P o r ts
m i 9 A u d it th e p o rts on th e se rve r re g u la rly to ensu re th a t an in s e c u re or

u n n e c e s s a r y s e r v i c e is n o t a c t i v e o n y o u r w e b s e r v e r .
© L i m i t i n b o u n d t r a f f i c t o p o r t 8 0 f o r H TTP a n d p o r t 4 4 3 f o r HTTPS (SSL).
© E n c ry p t o r re s tric t in tr a n e t tra ffic .
5L S e r v e r C e r tific a t e s
0 E nsure t h a t c e rtific a te d a ta ra n g e s a re v a lid a n d t h a t c e r t if ic a t e s a re use d f o r t h e i r

in te n d e d p u rp o se .
Q E n s u r e t h a t t h e c e r t i f i c a t e h a s n o t b e e n r e v o k e d a n d c e r t i f i c a t e ' s p u b l i c k e y is v a l i d all
th e w a y to a tr u s te d r o o t a u th o r ity .

Hacking Webservers
M a c h in e .c o n f ig
© Ensure th a t p ro te c te d resources are m a p p e d to H ttp F o r b id d e n H a n d le r and unused

H ttp M o d u le s are re m o ve d .
6 Ensure t h a t tra c in g is disabled c tra c e e n a b le = " fa ls e " /> and d e bug com p ile s are tu rn e d
off.
C o d e A c c e s s S e c u r ity
© I m p le m e n t secure coding practices to avoid source code disclosure and in p u t v a lid a tio n
attack.
9 R estrict co d e access s e c u rity p o lic y settings t o ensure t h a t code d o w n lo a d e d f r o m th e

In te r n e t o r in tr a n e t has no perm issions to execute.
© C onfigure IIS t o re je c t URLs w it h t o p r e v e n t path travers al, lock d o w n system

c o m m a n d s and u tilitie s w it h re stric tive access c o n tro l lists (ACLs), and install n e w
patches and updates.
Module 12 Page 1680 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil

Hacking Webservers

Server Attacks (Cont’d) CEH
II S L o c k d o w n
- Use th e IIS Lockdow n to o l, w h ic h re du ce s th e v u ln e ra b ility o f a W in d o w s 2 000 W e b s e rv e r. It

a llo w s yo u to p ick a sp e c ific ty p e o f s e rv e r ro le , a nd th e n use c u s to m te m p la te s to im p ro v e
s e c u rity fo r th a t p a rtic u la r se rv e r
- IIS Lockdow n in stalls th e URLScan ISAPI filte r a llo w in g w e b s ite a d m in is tra to rs to re s tric t th e kind o f
HTTP re q u e s ts th a t th e s e rv e r can p rocess, based o n a s e t o f ru le s th e a d m in is tra to r c o n tro ls ,
p re v e n tin g p o te n tia lly h a r m fu l re q u e s ts fro m re a c h in g th e s e rv e r a nd causing d am age
D isable th e se rvice s ru n n in g w ith le a s t-p riv ile g e d a cc o u n ts
D isable FTP, SMTP, and NNTP se rvice s if n o t re q u ire d
D isable th e T e ln e t se rvice
&
S w itch o f f all u nn e ce ssary se rvice s a nd d isa b le th e m , so th a t n e x t tim e w h e n th e s e rv e r is re b o o te d ,
th e y are n o t s ta rte d a u to m a tic a lly . This also gives an e xtra b o o s t to y o u r s e rv e r p e rfo rm a n c e s , by
fre e in g so m e h a rd w a re resources
H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )
' I I S L o c k d o w n
© IISLockdown restricts a n o n y m o u s access t o system u tilities, as w ell as having th e a b ility

t o w r i t e t o w e b c o n te n t dire cto rie s. To do this, IISLockdown creates t w o n e w local
g roups called w e b a n o n y m o u s users and w e b applicatio ns, and th e n it adds de n y access
c o n tr o l e n tr ie s (ACEs) f o r th e s e g ro u p s t o th e access c o n tr o l list (ACL) on key u tilitie s
and direc tories. Next, IISLockdown adds th e d e fa u lt a n o n y m o u s In te r n e t user a ccount
(IUSR_MACHINE) t o W e b A n o n y m o u s Users and th e IW A M _M A C H IN E a c c o u n t to W e b
A p p lic a tio n s. It disables W e b D is trib u te d A u th o rin g and V ersio n in g (W ebD av) and
installs th e URLScan ISAPI f ilte r .
0 Use th e IISLockdown to o l, w h ic h reduces th e v u ln e r a b ility o f a W in d o w s 2000 w e b

server. It allow s you t o pick a specific ty p e o f server role, and th e n use c u s to m
te m p la te s t o im p ro v e se c u rity fo r t h a t p a rtic u la r server.
© IISLockdown installs th e URLScan ISAPI filte r, a llo w in g w e b s ite a d m in is tr a to r s to re s tric t

th e kind o f HTTP requests t h a t th e server can process, based on a set o f rules th e
a d m in is t r a to r co n tro ls, p r e v e n tin g p o te n tia lly h a rm fu l requests f r o m reaching th e
server and causing dam age.

Hacking Webservers
S e r v ic e s
Q Disable th e services ru n n in g w it h least-privileged accounts.
© Disable FTP, SMTP, an d NNTP services if n o t req u ire d .
Q Disable T e ln e t service.
0 Switch o f f all unnecessary services and disable th e m , so th a t th e n ext tim e th e server is

re b o o te d , th e y are n o t s ta rte d a u to m a tic a lly . This also gives an extra boo s t t o y o u r
server p e rfo rm a n c e , by fr e e in g som e h a rd w a re resources.

Hacking Webservers

Server Attacks (cont’d) EH
Registry Auditing and Logging

Apply re stricte d ACLs and block Enable a m in im u m level o f
rem ote registry adm inistration a u d itin g on your w eb server and
Secure th e SAM (Stand-alone use NTFS perm issions to protect
Servers Only) th e log files
Shares Script Mappings

R e m o v e a ll u n n e c e s s a ry file sh ares Remove all unnecessary IIS
in c lu d in g th e d e f a u lt a d m in is tr a tio n s cript m appings fo r optional file
s h a re s if th e y a re n o t re q u ire d extensions to avoid exploiting
S ecu re t h e sh a re s w it h re s tric te d any bugs in th e ISAPI extensions
NTFS p e rm is s io n s th a t handle these types o f files
IIS Metabase Sites and Virtual Directories

E nsu re t h a t s e c u rity re la te d s e ttin g s a re Relocate sites and virtu al directories to
c o n fig u r e d a p p r o p r ia te ly a n d access t o th e non-system p a rtitio n s and use IIS Web
m e ta b a s e file is re s tric te d w it h h a rd e n e d perm issions to restrict access
NTFS p e rm is s io n s ISAPI Filters
R e s tric t b a n n e r in f o r m a t io n re tu r n e d b y IIS R e m o v e u n n e c e s s a ry ISAPI filte rs
fro m th e W e bserver
Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictly Prohibited.
© R e g is try
© A p p ly re s tr ic te d ACLs and block r e m o te registry a d m in is tra tio n .
© Secure th e SAM (Stand-alone Servers Only).
© S h a re
© Remove all unnecessary file shares inc luding th e d e fa u lt a d m in is tr a tio n shares if

th e y are n o t req u ire d .
© Secure th e shares w it h re s tric te d NTFS perm issions.
© IIS M e t a b a s e
© Ensure t h a t s e c u rity -re la te d settings are c o n fig u re d a p p ro p r ia te ly and access to th e

m etabas e file is re s tric te d w it h h a rd e n e d NTFS perm issions.
© Restrict b a n n e r in fo r m a tio n re tu r n e d by IIS.
© A u d it in g a n d L o g g in g
© Enable a m in im u m level o f a u d itin g on y o u r w e b server and use NTFS p e rm is s io n s to

p r o te c t th e log files.

Hacking Webservers
6 S c rip t M a p p in g s
0 Rem ove all unnecessary IIS script m appings fo r o p tio n a l file extensions t o avoid
e x p lo itin g any bugs in th e ISAPI e x tension s t h a t handle these ty pes o f file.
© S ite s a n d V ir t u a l D ir e c t o r ie s
© Relocate sites and v irtu a l d ire c to rie s t o n o n -sy ste m p a r titio n s and use IIS W e b
perm issions t o re s tric t access.
e IS A P I F ilte r s
© Rem ove unnecessary ISAPI filte rs fr o m th e w e b server.

Hacking Webservers

Server Attacks (Cont’d) CEH
D o use a d e d ic a te d
m a c h in e as a w e b
s e rv e r
C re a te URL m a p p in g s Do p h ysica lly p ro te c t Do not connect an IIS

1
t o in te r n a l se rve rs th e W ebserver m a c h in e ' Server to the Internet
c a u tio u s ly in a se cure m a ch in e ro o m 1 until it is fully hardened
U se s e rv e r s id e s e ssio n D o n o t a llo w a n y o n e t o
ID tra c k in g a n d m a tc h lo c a lly lo g o n t o th e
c o n n e c tio n s w it h tim e m a c h in e e x c e p t f o r
s ta m p s , IP a d d re sse s, e tc . th e a d m in is tr a to r
I f a d a ta b a s e se rve r, such Use security tools provided D o c o n fig u re a s e p a ra te Limit the server
/ as M ic r o s o f t SQL S e rv e r, is w ith web server software a no nym ou s user a ccou nt functionality in order to
and scanners that automate f o r e a ch a p p lic a tio n , if yo u support the web
1
t o b e u se d as a b a cke n d
d a ta b a s e , in s ta ll it o n a and make the process of h o s t m u ltip le w e b I technologies that are
s e p a ra te s e rv e r securing a web server easy a p p lic a tio n s L going to be used
1111
The f o llo w in g is a list o f actions t h a t can be ta k e n t o d e fe n d w e b servers f r o m various
kinds o f attacks:
© Create URL m a p p in g s t o in te rn a l servers cautiously.
© If a database server such as M ic r o s o ft SQL Server is t o be used as a backend database,

install it on a separate server.
© Do use a d e d ic a te d m achine as a w e b server.
© D o n 't install th e IIS server on a d o m a in c o n tro lle r.
© Use server-side session ID tra c k in g and m a tc h c o n n e c tio n w i t h tim e stam ps, IP address,
etc.
© Use se cu rity to o ls p ro v id e d w it h th e w e b s e rv e r an d scanners t h a t a u to m a te and make

th e process o f securing a w e b server easy.
© Screen and f i l t e r th e in c o m in g tr a ffic request.
© Do physically p r o te c t th e w e b server m ach in e in a secure m ac h in e ro o m .
© Do c o n fig u re a separate a n o n y m o u s user a c c o u n t f o r each a p p lica tio n , if you host

m u ltip le w e b applicatio ns.

Hacking Webservers
Q D o n o t c o n n e c t a n IIS S e r v e r t o t h e I n t e r n e t u n t i l i t is f u l l y h a r d e n e d .
© D o n o t a llo w a n y o n e t o lo c a lly lo g o n t o t h e m a c h in e e x c e p t f o r t h e a d m in is t r a t o r .
© L i m i t t h e s e r v e r f u n c t i o n a l i t y in o r d e r t o s u p p o r t t h e w e b t e c h n o l o g i e s t h a t a r e g o i n g t o
be used.

Hacking Webservers
H o w to D e f e n d a g a in s t H T T P R e s p o n s e
S p lit t in g a n d W e b C a c h e P o is o n in g
EH
S e rv e r A d m in A p p lic a t io n D e v e lo p e rs P ro x y S e rv e rs
« Use latest web server 9 Restrict web application » Avoid sharing incoming TCP
software access to unique Ips connections among different
clients
« Regularly update/patch « Disallow carriage return
OS and Webserver (%0d or \r) and line feed a Use different TCP connections
(%0a or \n) characters with the proxy for different
© Run web Vulnerability virtual hosts
Scanner » Comply to RFC 2616
specifications for HTTP/1.1 8 Implement "maintain request
host header" correctly
H o w t o D e f e n d a g a i n s t H T T P R e s p o n s e S p l i t t i n g a n d
W e b C a c h e P o i s o n i n g
T h e f o l l o w i n g a r e t h e m e a s u r e s t h a t s h o u l d b e t a k e n in o r d e r t o d e f e n d a g a i n s t H T T P r e s p o n s e
s p littin g a n d w e b c a c h e p o is o n in g :
e S e rv e r A d m in
© U se la te s t w e b s e rv e r s o ftw a r e
© R e g u la rly u p d a t e / p a t c h OS a n d w e b s e rv e r
© Run w e b v u ln e ra b ility s c a n n e r
© A p p lic a tio n D e v e lo p e rs
© R e s t r i c t w e b a p p l i c a t i o n a c c e s s t o u n i q u e IP S
© D is a llo w c a rr ia g e r e t u r n (% 0 d o r \ r ) a n d lin e fe e d (% 0 a o r \ n ) c h a r a c te r s
© C o m p l y t o RFC 2 6 1 6 s p e c i f i c a t i o n s f o r H T T P / 1 . 1
© P ro x y S e rve rs
© A v o id s h a rin g in c o m in g TCP c o n n e c tio n s a m o n g d if f e r e n t c lie n ts
© U se d iffe r e n t TCP c o n n e c tio n s w ith th e p ro x y fo r d iffe r e n t v irtu a l h o s ts
© Im p le m e n t " m a in ta in re q u e s t h o s t h e a d e r" c o rre c tly

Hacking Webservers
M o d u le F lo w CEH
M o d u l e F l o w
D e v e l o p e r s a l w a y s t r y t o f i n d t h e b u g s in t h e w e b s e r v e r a n d t r y t o f i x t h e m . T h e b u g
fix e s a re re le a s e d in th e fo rm of p a tc h e s . These p a tc h e s p ro v id e p ro te c tio n a g a in s t know n
v u l n e r a b i l i t i e s . P a t c h m a n a g e m e n t is a p r o c e s s u s e d t o e n s u r e t h a t t h e a p p r o p r i a t e p a t c h e s a r e
in s ta lle d o n a s y s te m a n d h e lp fix k n o w n v u ln e r a b ilitie s .
1 We b s e r v e r C o n c e p t s W e b s e rv e r A tta c k s
« \
W e b s e r v e r P en T e s tin g i ) W e b s e r v e r S e c u rity T o o ls
P a tch M a n a g e m e n t C o u n te r-m e a s u re s
■—
■—
T h is s e c tio n d e s c rib e s p a tc h m a n a g e m e n t c o n c e p ts u s e d t o fix v u ln e r a b ilitie s a n d b u g s in t h e
w e b s e r v e r s in o r d e r t o p r o t e c t t h e m f r o m a tta c k s .

Hacking Webservers
P a tc h e s a n d H o tfix e s C EH
Urtiffetf itkNjI lUilwt
A patch is a small piece of software designed to A patch can be considered as

fix problems, security vulnerabilities, and bugs a repair job to a programming
and improve the usability or performance of a problem
computer program or its supporting data
Hotfixes are an update to fix a Users may be notified Hotfixes are sometimes
specific customer issue and through emails or through packaged as a set of fixes
not always distributed outside the vendor's website called a combined hotfix
the customer organization or service pack
P a t c h e s a n d H o t f i x e s
A p a t c h is a p r o g r a m used to m a k e c h a n g e s in t h e s o f t w a r e in s ta lle d o n a c o m p u te r .
P a tc h e s a re u s e d t o fix b u g s , t o a d d re s s t h e s e c u rity p r o b le m s , t o a d d fu n c t io n a lit y , e tc . A p a tc h
is a s m a l l p i e c e o f s o ftw a re d e s ig n e d to fix p r o b le m s , s e c u rity v u ln e ra b ilitie s , a n d bugs and
im p ro v e th e u s a b ility o r p e r fo r m a n c e o f a c o m p u te r p ro g ra m o r its s u p p o r t i n g d a ta . A p a tc h
ca n b e c o n s id e re d a re p a ir jo b to a p r o g r a m m in g p ro b le m .
A h o t f i x is a p a c k a g e t h a t i n c l u d e s v a r i o u s f i l e s u s e d s p e c i f i c a l l y t o a d d r e s s v a r i o u s p r o b l e m s o f
s o f t w a r e . H o t f i x e s a r e u s e d t o f i x b u g s in a p r o d u c t . U s e r s a r e u p d a t e d a b o u t t h e l a t e s t h o t f i x e s
b y v e n d o r s th r o u g h e m a il o r th e y ca n b e d o w n lo a d e d f r o m th e o ffic ia l w e b s ite . H o tfix e s a re a n
u p d a te to fix a s p e c ific c u s to m e r is s u e and not a lw a y s d is trib u te d o u ts id e th e c u s to m e r
o rg a n iz a tio n . U se rs m a y b e n o tifie d th r o u g h e m a ils o r t h r o u g h th e v e n d o r 's w e b s ite . H o tfix e s
a re s o m e t im e s p a c k a g e d as a s e t o f fix e s c a lle d a c o m b in e d h o t f ix o r s e rv ic e p a c k .

Hacking Webservers
W h a t Is P a tc h M a n a g e m e n t? CEH
J "Patch m an ag em en t is a process used to en su re th a t th e a p p ro p ria te p atch e s are installed on a

system and help fix known vulnerabilities"
An a u to m a te d patch m a n a g e m e n t process:
Maintain: Subscribe to
Detect: Use tools to
get notifications about
detect missing
vulnerabilities as they are
security patches
reported
Assess: Asses the issue(s)

Deploy: Deploy the patch to
and its associated severity by
the computers and make sure
mitigating the factors that
the applications are not affected
may influence the decision
Test: Install the patch first

on a testing machine to Acquire: Download the
verify the consequences of patch for testing
the update
W h a t I s P a t c h M a n a g e m e n t ?
v- ‫״‬ A c c o rd in g to h tt p ://s e a r c h e n te r p r is e d e s k to p .te c h ta r g e t.c o m , p a tc h m a n a g e m e n t is

an a re a o f s y s te m s m a n a g e m e n t t h a t in v o lv e s a c q u irin g , te s tin g , a n d in s ta llin g m u ltip le p a tc h e s
( c o d e c h a n g e s ) t o a n a d m i n i s t e r e d c o m p u t e r s y s t e m . It i n v o l v e s t h e f o l l o w i n g :
© C h o o s in g , v e r ify in g , te s tin g , a n d a p p ly in g p a tc h e s
© U p d a tin g p r e v io u s ly a p p lie d p a tc h e s w it h c u r r e n t p a tc h e s
© L istin g p a tc h e s a p p lie d p r e v io u s ly t o t h e c u r r e n t s o f t w a r e
© R e c o rd in g re p o s ito r ie s , o r d e p o ts , o f p a tc h e s f o r easy s e le c tio n
© A s s ig n in g a n d d e p lo y in g th e a p p lie d p a tc h e s
1. D e te c t: It is v e r y i m p o r t a n t t o a lw a y s d e te c t m is s in g s e c u rity p a tc h e s th r o u g h p roper
d e t e c t i n g t o o l s . If t h e r e is a n y d e l a y in t h e d e t e c t i o n p r o c e s s , c h a n c e s o f m a l i c i o u s a t t a c k s
a re v e r y h ig h .
2. Assess: O n c e t h e d e t e c t i o n p r o c e s s is f i n i s h e d i t is a l w a y s b e t t e r t o a s s e s s v a r i o u s i s s u e s
a n d t h e a s s o c ia te d fa c to rs re la te d to th e m a n d b e tt e r t o im p le m e n t th o s e s tra te g ie s w h e r e
is s u e s c a n b e d r a s t i c a l l y r e d u c e d o r e l i m i n a t e d .
3. A c q u i r e : T h e s u i t a b l e p a t c h r e q u i r e d t o f i x t h e is s u e s h a s t o b e d o w n l o a d e d .

Hacking Webservers
4. T e s t : It is a l w a y s s u g g e s t e d t o f i r s t i n s t a l l t h e r e q u i r e d p a t c h o n t o t h e t e s t i n g s y s t e m r a t h e r
th a n th e m a in s y s te m as t h i s p r o v i d e s a c h a n c e t o v e r i f y t h e v a r i o u s c o n s e q u e n c e s o f
u p d a tin g .
5. D e p l o y : P a t c h e s a r e t o b e d e p l o y e d i n t o t h e s y s t e m s w i t h u t m o s t =, so n o a p p l i c a t i o n o f
t h e s y s t e m is a f f e c t e d .
6. M a in ta in : It is a l w a y s u s e f u l t o s u b s c r i b e t o g e t n o t i f i c a t i o n s a b o u t v a r i o u s p o s s i b l e
v u l n e r a b i l i t i e s as t h e y a r e r e p o r t e d .

Hacking Webservers
I d e n t i f y i n g A p p r o p r i a t e S o u r c e s f o r
U p d a t e s a n d P a t c h e s
CEH
First make a patch management plan that fits the operational environment and
business objectives
Find appropriate updates and patches on the home sites

of the applications or operating systems' vendors
The recommended way of tracking issues

relevant to proactive patching is to register
to the home sites to receive alerts
I d e n t i f y i n g A p p r o p r i a t e S o u r c e s f o r U p d a t e s a n d
- i'l
'-s P a t c h e s
It is v e r y i m p o r t a n t t o i d e n t i f y t h e a p p r o p r i a t e s o u r c e f o r u p d a t e s a n d p a t c h e s . Y o u s h o u l d t a k e
care o f th e fo llo w in g th in g s re la te d to p a tc h m a n a g e m e n t.
© P a tc h m a n a g e m e n t t h a t s u its th e o p e ra tio n a l e n v iro n m e n t and b u s in e s s o b je c tiv e s

s h o u ld be p ro p e r ly p la n n e d .
© F in d a p p r o p r i a t e u p d a t e s a n d p a t c h e s o n t h e h o m e s i t e s o f t h e a p p l i c a t i o n s o r o p e r a t i n g
s y s te m s ' v e n d o rs .
© T h e r e c o m m e n d e d w a y o f t r a c k i n g is s u e s r e l e v a n t t o p r o a c t i v e p a t c h i n g is t o r e g i s t e r t o
th e h o m e site s t o re c e iv e a le rts .

Hacking Webservers
In s ta lla tio n o f a P a tc h CEH
0 9
J U sers can access an d install security p atch e s via th e
~ W orld W ide W eb
0 0
P a t c h e s c a n b e i n s t a l l e d in t w o w a y s
M a n u a l In s ta lla tio n
In this m ethod, the user has to

d o w nlo ad the patch from the
vendor and fix it
A u to m a tic In s ta lla tio n
In this method, the applications

use the A u to U pdate feature to
update them selves , W W W
Copyright © by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
I n s t a l l a t i o n o f a P a t c h
Y ou s h o u ld s e a rc h f o r a s u ita b le p a tc h a n d in s ta ll it f r o m I n t e r n e t . P a tc h e s can be
i n s t a l l e d in t w o w a y s :
M a n u a l In s ta lla tio n
In t h e m a n u a l i n s t a l l a t i o n p r o c e s s , t h e u s e r d o w n l o a d s t h e s u i t a b l e p a t c h f r o m t h e v e n d o r a n d
f i x e s it.
A u to m a tic In s ta lla tio n
In a u t o m a t i c i n s t a l l a t i o n , t h e a p p l i c a t i o n s , w i t h t h e h e l p o f t h e a u t o u p d a t e f e a t u r e , w i l l g e t
u p d a te d a u to m a tic a lly .

Hacking Webservers
I m p l e m e n t a t i o n a n d V e r i f i c a t i o n o f a
S e c u r i t y P a t c h o r U p g r a d e
B efore installing any patch verify th e source
/ Use p ro p e r patch m a n a g e m e n t program to v alidate files versions

% and checksum s b efo re deploying security p atch e s
The patch m a n a g e m e n t to o l m u st be able to m o n ito r th e p atch e d <‫י‬

system s *‫'־‬
The patch m a n a g e m e n t te a m should check for u p d a te s and

p atch e s regularly
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
" 1 I m p l e m e n t a t i o n a n d V e r i f i c a t i o n o f a S e c u r i t y P a t c h
o r U p g r a d e
Y o u s h o u ld b e a w a re o f a f e w th in g s b e fo r e im p le m e n t in g a p a tc h . T h e fo llo w in g th in g s s h o u ld
b e k e p t in m i n d :
© B e fo re in s ta llin g a n y p a tc h s o u rc e , it s h o u ld be p ro p e rly v e rifie d . Use a p ro p e r p a tc h
m a n a g e m e n t p r o g r a m t o v a lid a te file v e rs io n s a n d c h e c k s u m s b e fo r e d e p lo y in g s e c u rity
p a tc h e s .
0 T h e p a tc h m a n a g e m e n t te a m s h o u ld c h e c k f o r u p d a te s a n d p a tc h e s re g u la rly . A p a tc h
m a n a g e m e n t to o l m u s t b e a b le t o m o n it o r t h e p a tc h e d s y s te m s .

Hacking Webservers
P a t c h M a n a g e m e n t T o o l: M i c r o s o f t
B a s e l i n e S e c u r i t y A n a l y z e r ( M B S A )
J Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft . ‫־ ־׳‬
Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server t
J It also scans a computer for insecure configuration settings
Microsoft Baseline Security Analyzer 2.2 1‫ ! ־‬° ■

P ^ f ‫ ״‬B aseline S e curity A n a ly ze r
R e p o rt D etails fo r WORKGROUP - WIN-MSSELCK4K41 (2 0 1 2 -1 0 -1 2 10 :2 8 :0 6 )

! Inrompfc'te Scan (Could not complete one o e requested checks.)
(onHMtfnumr V‫'״‬ORXGRCXJ3\WJN«S£B.Q<'K‘>l
IP Address: 1*9.254.103.138
S«‫ «״‬T report ,*CRKGROUP■WN-MSSQlCMMI (10-12*2012 10-28 AM)
van darr 10/12/2012 10:28 AM
S u n td nfth H8SA version: 2.2.2170.0
v a r t y «pA>rr catalog:
Sett Ooo V
Svtunty llpdj(■• Sun Rm 1R%
Offc* Sccunty Nc fearit? 4xi1U; a
h ttp : //w w w .m ic r o s o ft.c o m
Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P a t c h M a n a g e m e n t T o o l : M i c r o s o f t B a s e l i n e S e c u r i t y
* S ^ A n a l y z e r ( M B S A )
S ource: h t t p : / / w w w . m ic r o s o f t . c o m
T h e M i c r o s o f t B a s e li n e S e c u r i t y A n a l y z e r ( M B S A ) a l l o w s y o u t o i d e n t i f y m i s s i n g s e c u r i t y u p d a t e s
a n d c o m m o n s e c u r i t y m i s c o n f i g u r a t i o n s . It is a t o o l d e s i g n e d f o r t h e IT p r o f e s s i o n a l t h a t h e l p s
s m a ll- and m e d iu m -s iz e d b u s in e s s e s d e te rm in e th e ir s e c u rity sta te in a cco rd a n ce w ith
M ic r o s o f t s e c u rity r e c o m m e n d a tio n s a n d o ffe r s s p e c ific r e m e d ia t io n g u id a n c e . Im p r o v e y o u r
s e c u r ity m a n a g e m e n t p ro c e s s b y u s in g M B S A t o d e t e c t c o m m o n s e c u r ity m is c o n f ig u r a t io n s a n d
m is s in g s e c u r ity u p d a te s o n y o u r c o m p u t e r s y s te m s .

Hacking Webservers
Microsoft Baseline Security Analyzer 2.2

1 M icro so ft
t 1 B a s e lin e S e c u r ity A n a ly z e r
Report Details for WORKGROUP - WIN-MSSELCK4K41 (2012-10-12 10:28:06)

fl Security assessment:
• Incom plete Scan (Could n o t com plete one or m ore requested checks.)
Computer name: WORKGROUP\WIN-MSSELCK4K41

IP address: 169.254.103.138
Security report name: WORKGROUP ‫ ־‬WIN-MSSELCK4K41 (10-12-2012 10-28 AM)
Scan date: 10/12/2012 10:28 AM
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date:
Security update catalog: Microsoft Update
Sort Order: Score (worst first) v
Security Update Scan Results
Score Issue Result

0 Developer No security updates are mssng.
Tools, W hat w as sca n n ed R esult d e ta is
Runtimes, and
Redistributables
Security
Updates
Office Secunty No security updates are mssng.
Updates W hat w as sca n n ed R esult d e ta is
SQL Server No security updates are missng.
Security W hat w as sca n n ed R esult d e ta is
Updates
^ P r n t this re p o rt I Q £ o p y to <ipboard g | P re v io u s se cu rity r ep ort
FIGURE 12.30: Microsoft Baseline Security Analyzer (MBSA)

Hacking Webservers
P a tc h M a n a g e m e n t Tools C EH
(•itifwd 1 tfeMJl Nm Im
Altiris Client M an ag em en t
Prism Patch M anager
Suite http://www.newboundary.com
2 - S http://www.symantec.com
S MaaS360® Patch Analyzer

GFI LANguard
http://www.gfi.com r i Tool
U http://www.maas360.com
Kaseya Security Patch

Secunia CSI
M a n ag em en t http://secunia.com
http://www.kaseya.com
ZENworks® Patch Lumension® Patch and

M a n ag em en t R em ediation
http://www.novell.com http://www.lumension.com
Security M an ag er Plus V M ware vC enter P rotect

™ http://www.manageengine.com http://www.vmware,com
P a t c h M a n a g e m e n t T o o ls
In a d d itio n to M BSA, th e re a re m any o th e r to o ls th a t can be used fo r id e n tify in g
m is s in g p a tc h e s , s e c u rity u p d a te s , and com m on s e c u rity m is c o n fig u ra tio n s . A lis t of p a tc h
m a n a g e m e n t to o ls fo llo w s :
© A ltir is C lie n t M a n a g e m e n t S u ite a v a ila b le a t h t t p : / / w w w . s v m a n t e c . c o m
© GFI L A N g u a r d a v a ila b le a t h t t p : / / w w w . g f i . c o m
© K a se ya S e c u rity P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . k a s e y a . c o m
© Z E N w o rk s ® P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . n o v e ll. c o m
© S e c u r it y M a n a g e r P lu s a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m
© P ris m P a tc h M a n a g e r a v a ila b le a t h t t p : / / w w w . n e w b o u n d a r y . c o m
© M a a S 3 6 0 ® P a tc h A n a ly z e r T o o l a v a ila b le a t h t t p : / / w w w . m a a s 3 6 0 . c o m
© S e c u n i a CSI a v a i l a b l e a t h t t p : / / s e c u n i a . c o m
© L u m e n s io n ® P a tc h a n d R e m e d ia tio n a v a ila b le a t h t t p : / / w w w . l u m e n s io n . c o m
© V M w a r e v C e n te r P ro te c t a v a ila b le a t h t t p : / / w w w . v m w a r e . c o m

Hacking Webservers
M o d u l e F l o w
W eb s e rv e rs s h o u ld a lw a y s b e s e c u re d in t h e n e tw o rk e d c o m p u tin g e n v iro n m e n t to
a v o id t h e t h r e a t o f b e in g a tta c k e d . W e b s e rv e r s e c u rity ca n be m o n ito re d and m anaged w ith
th e h e lp o f w e b s e rv e r s e c u rity to o ls .
W e b s e r v e r C o n c e p ts W e b s e rv e r A tta c k s
a
‫׳‬N ©
r W e b s e rv e r Pen T e s tin g W e b s e r v e r S e c u rity T o o ls
O
P a tch M a n a g e m e n t C o u n te r-m e a s u re s
■—
‫׳ ׳ » ׳‬ ■—
T h is s e c t io n lis ts a n d d e s c r ib e s v a r i o u s w e b s e r v e r s e c u r i t y t o o ls .

Hacking Webservers
Web Application Security r ‫ש‬u

Scanner: Syhunt Dynamic J L E !7
J Syhunt Dynamic helps to a u to m a te w eb application security testing and guard organization's

w eb in frastru ctu re against various w eb application security th re ats
W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : S y h u n t D y n a m i c
^ S o u rce : h ttp ://w w w .s y h u n t.c o m
S y h u n t D y n a m ic h e lp s t o a u to m a te web a p p lic a tio n s e c u rity te s tin g and g u a rd o r g a n iz a tio n 's
w e b in f r a s t r u c t u r e a g a in s t v a r io u s w e b a p p lic a tio n s e c u rity th re a ts .
F e a tu re s :
e B la c k -B o x T e s tin g - Assess th e web a p p lic a tio n s e c u rity th ro u g h re m o te s c a n n in g .
S u p p o rts a n y w e b s e rv e r p la tfo rm .
0 W h ite - B o x T e s tin g - By a u t o m a t in g th e p ro c e s s o f r e v ie w in g th e w e b a p p lic a tio n 's c o d e ,
S a n d c a t's code s c a n n in g fu n c t io n a lit y can m ake th e life of QA te s te rs e a s ie r, h e lp in g
th e m q u ic k ly fin d a n d e lim in a te s e c u rity v u ln e ra b ilitie s fr o m w e b a p p lic a tio n s . S u p p o rts
AS P, A S P .N E T , a n d PHP.
Q C o n c u rre n c y /S c a n Q ueue S u p p o rt - M u ltip le s e c u rity scans can be queued and th e
n u m b e r o f t h r e a d s ca n b e a d ju s te d .
© D e e p C ra w lin g - R uns s e c u rity te s ts a g a in s t w e b p a g e s d is c o v e re d b y c r a w lin g a s in g le
URL o r a s e t o f URLs p ro v id e d b y th e u se r.
© Advanced In je c tio n ‫ ־‬M a p s th e e n tire w e b s ite s tru c tu re (all lin k s , f o r m s , X H R r e q u e s t s ,
a n d o t h e r e n tr y p o in ts ) a n d trie s t o fin d c u s to m , u n iq u e v u ln e r a b ilitie s b y s im u la tin g a

Hacking Webservers
w i d e r a n g e o f a t t a c k s / s e n d i n g t h o u s a n d s o f r e q u e s t s ( m o s t l y GE T a n d POST). T e s ts f o r
SQL I n j e c t i o n , XSS, File I n c l u s i o n , a n d m a n y o t h e r w e b a p p l i c a t i o n v u l n e r a b i l i t y c la ss e s.
© R e p o rtin g - G e n e ra te s a r e p o r t c o n ta in in g in f o r m a t io n a b o u t th e v u ln e r a b ilitie s . A fte r

e x a m in in g th e a p p lic a tio n 's re sponse to th e a tta cks, if th e ta rg e t URL is fo u n d
v u l n e r a b l e , i t g e t s a d d e d t o t h e r e p o r t . S a n d c a t ' s r e p o r t s a ls o c o n t a i n c h a r t s , s t a t i s t i c s
and c o m p lia n c e in fo rm a tio n . Syhunt o ffe rs a set of r e p o r t te m p la te s ta ilo re d fo r
d iffe r e n t a u d ie n c e s .
© L o c a l o r R e m o t e S t o r a g e ‫ ־‬S ca n r e s u l t s a r e s a v e d l o c a l l y ( o n t h e d is k ) o r r e m o t e l y (in t h e
S a n d c a t w e b s e r v e r ) . R e s u lt s c a n b e c o n v e r t e d a t a n y t i m e t o H T M L o r m u l t i p l e o t h e r
a v a ila b le fo r m a ts .
© In a d d i t i o n t o its G U I ( G r a p h i c a l U s e r I n t e r f a c e ) f u n c t i o n a l i t i e s , S y h u n t o f f e r s a n e a s y t o
use c o m m a n d - lin e in te rfa c e .
V 1304715758 |d#mo.*y*mnt<om) • Stndctt Pro Hyfend

£«*• £<tt lo c h tjdp
O ■ J)•
HKh R«WJ■ 1
j <0‫י«י*צ‬ com 80
B j Ho*> Mamahon
M(m*t
••
9 3 J$4«MdP*9«
£ jQ Souk• StudiM
a ; **m m M • Souc*
a (a URL1
B WabSfeucM•
(tel • d •on
♦ 14 «‫ •ץ‬p*>
. 111 « ‫«* ץ‬m(1le php
9 j•! R_b*taC php
t. H_b«t*C_ptuS1WV
. ^ >Jot*pN>
O », •—**ion
• «‫ ן‬n d n hid dm php
*riefcgence
Anyang rata* Dor•

O a d to f wboh Mi
Owcfcng icbau fan •
SpdHro^sxtngSlapr*Nd
SpdwnoâpAno cc‫״״‬cM*d
SU>«r« CiOM $4• Sovmo TMl
found ■_bwKp*pXS$
F « *d p**> >SS
fotstd ■_to‫»״‬j*©XSS
Ow*pouSMS< «K‫ ״‬a /XSS a Id26|
FIGURE 12.31: Syhunt Dynamic Screenshot

Hacking Webservers
W e b A p p lic a t io n S e c u r ity S c a n n e r:
N - S ta lk e r W e b A p p lic a t io n S e c u r ity S c a n n e r
EH
N-Stalker is a W ebA pp Security S can n er to search for vulnerabilities such as SQL injection,
XSS, and known attacks A
W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : N - S t a l k e r W e b
A p p l i c a t i o n S e c u r i t y S c a n n e r
S ource: h t t p :/ / w w w .n s t a lk e r . c o m
N - S t a l k e r W e b A p p l i c a t i o n S e c u r i t y S c a n n e r is a w e b s e c u r i t y a s s e s s m e n t s o l u t i o n f o r y o u r w e b
a p p l i c a t i o n s . It is a s e c u r i t y a s s e s s m e n t t o o l t h a t i n c o r p o r a t e s N - s t e a l t h H T T P s e c u r i t y s c a n n e r .
It s e a r c h e s f o r v u l n e r a b i l i t i e s such as SQL i n j e c t i o n , XSS, a n d known a tta c ks . It h e l p s in
m a n a g i n g t h e w e b s e r v e r a n d w e b a p p l i c a t i o n s e c u r i t y . T h is s e c u r i t y t o o l is u s e d b y d e v e l o p e r s ,
s y s t e m / s e c u r i t y a d m i n i s t r a t o r s , IT a u d i t o r s , a n d s t a f f .

Hacking Webservers
■ " » )» N-Sta!ker Web Application Security Scanner 2012 - Free Edition

**J Scaro«r Sc*r Op«on»
1 T>!r*a4t • 1‫ ״ ״ ־ * ‘ ־ ־ • ׳ “ “ ״ ״‬, ' I
‫“ ב‬ ‫״ כ‬ ‫ <« י » ל‬IJ t
I 6 * 5• ‫ ״‬, ‫■ ״ ״ * ״ י ״‬
| Thraâ CofUfW , r iM ^ N ih a Control 1
Scann er I v m t t
o Vu*eraM««*
Q hBp J« v a * C*«1V<
| App*c«ton ««gn
8 | O H v tfM n tt*
B# nap<rw«nnr
■ UCfOM
8 I W«ftMrv«r*•
0#/
■ x.P * • 0
3 | «•
0#
9 | Wat Foma**
•
■ $ *rv a r< B
Htgh(•!
J
Mm1(9> lo w 7) M o (t )
0 #‫׳‬ mtmmk______
L • Hm W
ffl + /•*cxhtitf By<aa$*nc 1102 121
I 903 970
0 | »MCvr«W a6A Avg Rm oo ^m Tmt K IM m i
ffl + I A .g T ,ar*»»f B jf* 9 91 S M B *
198 00 r#9 »nan
Com ponent Mam•

d f r Wafc Sarvar »t«onnalon Found
• ttC T M iftM M feA tow * W M f W M r ce*180/<9oat N
jJ j f • Wa* Sarva* Tacft‫״‬m*>ffy Oataaad
Sarva‫״‬ - * * S«d• Tac*«c* 9y Fo
NCT FramewoA
A• ?*MWO'd W
afcfon*FOyNj
S a n N m K ■ | j / . « Cowpontnt t 1 ^ 1 Scan EvtnH
FIGURE 12.32: -Stalker Web Application Security Scanner

Hacking Webservers
Web Server Security Scanner:

W ikto
W e b S e r v e r S e c u r i t y S c a n n e r : W i k t o
S ource: h tt p :/ /w w w .s e n s e p o s t .c o m
W i k t o is f o r W i n d o w s , w i t h a c o u p l e o f e x t r a f e a t u r e s i n c l u d i n g f u z z y lo g ic e r r o r c o d e c h e c k i n g ,
a backend m in e r, G o o g le -a s s is te d d ire c to ry m in in g , a n d re a l-tim e HTTP r e q u e s t /r e s p o n s e
m o n i t o r i n g . W i k t o is c o d e d i n C # a n d r e q u i r e s t h e .N E T f r a m e w o r k .
W i k t o m a y n o t t e s t f o r SQL i n j e c t i o n s , b u t i t is s ti l l a n e s s e n t i a l t o o l f o r p e n e t r a t i o n t e s t e r s w h o
a r e l o o k i n g f o r v u l n e r a b i l i t i e s in t h e i r I n t e r n e t - f a c i n g w e b s e r v e r s .

Hacking Webservers

Hacking Webservers
W e b S e r v e r S e c u r i t y S c a n n e r :
A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r
CEH
Urt1fw4 ilhiul lUthM
■ Acunetix WVS checks web applications for SQL injections, cross-site scripting, etc.
■ It includes advanced penetration testing tools to ease manual security audit processes, and
also creates professional security audit and regulatory compliance reports
Acunetix W eb Vulnerability Scanner (Free Edition) -M B

Hie Actions Tools Configuration Hdp
^tewScan|®Gfcp c, ‫ “ל‬a4' ‫׳‬ ‫ ־־׳‬L *
_] ♦ | 'A^ A Renar: >- Start M .: ‫לר‬5 :‫ > »*׳ו״‬sc rw 3n:3C,’ *\Ptofle: Defeu
abilty Scanner
‫׳‬%* Web Eesnner
kt Ak‫־‬rt5 simrw m m
3 ‫־‬t_i' Tcoi
afc Web Alerts ‫»־׳‬ocun#l ‫ ׳‬threat l«v«l
i !••‫ג‬#‫ ׳‬Site Crawler
p Target Hn<fer•-; ; V - KnowieSoe Base
Uvol 0: Sofo
Siijdaman Scarner F $ 1 Site Structure
j |‫ ) ״‬j | Bind SQL injector E t© / 0K *
Bunptdar■:
IITPSnffer
ff t o *out .me rcrbt*:«n
!
bt t o ‘ otxDen
rt t o <tor‫׳‬nb8<*r• •'orNfcen
j $ AutJxnoeatwn icsta loU «lrrt»found
e t o •es ' 0‫׳‬t*d?en
SJ Compare Resilts ; 0«5«
S rv w
W*bSctMcca Scamci ® •: W tO
to c r j ‫ ׳‬a lr w « 1♦othsuvi
O MMrn 3HLi-
Wtb Servers EdMr * 4 : L6 St«Ctt JMQt jmocSas **P oo * O i °»

3 4 ■ 1‫ ׳‬Confiqwatcn [£ »lKfc»J*"9eJ» ^ 0 B Hstrnfid O mrormjikxMi
Si Aodtatton Sitthos••! 11 (O 9—«■
i J, seanstm o * M tA karroo (X TjrgrtMormjUgn http:/Avwwju00Vl)0y.<0m:80/
: (•j Surnrq Profit
‫■״‬ •ortxteen
11 lO ,4' • ’v*•' £ Xtonict )61 request!
it (& Grrwnl a .
A Proynm Update: * It t o (X
u i o *jeMonjh* « Prowess san is finisned 10a 00% Q
■‫*)־־‬-‫ וי‬Vwtort Jnformaoon
jyLcenaro■ ;
Sijjpcrt Center ) £ : < [________________‫ _______________ י‬I > 1
10.13 >0:0VV., [Warning] Samng onty tor XV* (er w u tr vnphn^) vulirrabAhrt
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r S e c u r i t y S c a n n e r : A c u n e t i x W e b
B V u l n e r a b i l i t y S c a n n e r
S o u rce : h ttp ://w w w .a c u n e tix .c o m
A c u n e tix W eb V u ln e ra b ility Scanner checks web a p p lic a tio n s fo r SQL in je c tio n s , c ro s s -s ite
s c r ip tin g , e tc . It in c lu d e s a d v a n c e d p e n e t r a t i o n t e s t i n g t o o l s t o e a s e t h e m a n u a l s e c u r it y a u d i t
p ro c e s s e s , a n d a ls o c r e a te s p r o f e s s io n a l s e c u r it y a u d it a n d r e g u la t o r y c o m p li a n c e r e p o r t s .

Hacking Webservers
& Acunetix Web Vulnerability Scanner (Free Edition) ‫ פ ד‬3

fa• Actions T00H Configuration H
NcwScjn . Jl ^ J ‫ צ‬B | g ** |a A | a I® I *
Tod■
Q ld f » A 'S. ft Report / StvtURi: n t t p : / / » r t m c o m : * ) / - Profile: [> - JSU rt
@ Art) yjneraMty Scanner
1*_‫ י‬Web Scanner
Scan R ew h SWut A. Akrtt Mjmmjty
a & Tools li
J ; Ste Crawler jb HHbdrti A o < u n (l« threat level A<unrt1x Threat Level 0
Target FrxJcr V*Knowledge0m« Level 0: Safe
!« have been ik K v n in l 1‫ך‬
^ Subdoman Scanner B { j) Site Structure
.J Bind SQL In)ector ‫ ־‬I©/ <
{ 3 HTTPEdtor ♦ (jQ about_me
HTTP Snrffer ♦ artwork
• * HTTPFuwer
♦ 10 download!
$ Authenocatwn Tester Total *lefts found
B L© * “
B Compare Resdts
3 H & Web Services
,Q a r tan <al-mages M*tFard o Medium
af£ Web Services Scanner S (jQ htrrtSmeda N«F0iX1d
J S Web Services Edtor stacks_page_page0 .css NK Found O low
0 Informational
“ S ConfigâBon stacks_page_page0 .js Mu Foind
> Appfca&on Settings ♦ uQ games
J Scan Settings ♦ (,Q karma 1 Target information Mtp:/Awvvv.juggytoy.com:80/ *
Sr w n g B fo S w ♦ 1^ Ifcstyte
3 & General Statistics 381 requests
a t© mytotog
Program Updates
-‫ ו ז ז‬Ver»on Information ♦ (jQ quesfconjhe.nJes Progress Scan is finished 00‫ו‬.oos $
.-* i f t m common.
4 |j Support Center
4i Purchase
4>j User Manual (htmf) 10.12 2005.55, [Warning] Scanmno onty lor XSS (a
4 ] User Manual (pdf)
• AajSeraor
Appfccaoon log Error Log [
FIGURE 12.34: Acunetix W eb Vulnerability Scanner

Hacking Webservers
W e b S e r v e r M a l w a r e I n f e c t i o n
M o n i t o r i n g T o o l: H a c k A l e r t
CEH
H a c k A le rt
HackAlert™ is a cloud-based service
that identifies hidden zero-day
malware and drive-by downloads in
websites and online advertisements CK*>90 [n te f Dj»* n l 5«tKl M l aom un‫ ־‬AdMsfiews mas A vriw *1
8 Protects clients and customers

from malware injected websites, P«KXtWI»K 7t N M « I}
drive by downloads, and malicious

advertising
a Identifies malware before the

website is flagged as malicious
o Displays injected code snippets to

facilitate remediation \
t* Deploys as cloud-based SaaS or as
a flexible API for enterprise
integration
9 Integrates with WAF or web server

. . / X .
modules for instant mitigation
h ttp : //w w w .a r m o r iz e .c o m
W e b S e r v e r M a l w a r e I n f e c t i o n M o n i t o r i n g T o o l:
H a c k A l e r t
S o u rce h ttp ://w w w .a rm o riz e .c o m
H a c k A le rt is a c lo u d -b a s e d s e rv ic e th a t id e n tifie s h id d e n z e ro -d a y m a lw a re and d riv e -b y
d o w n lo a d s in w e b s ite s and o n lin e a d v e rtis e m e n ts . O p tim iz in g m u ltip le a n a ly s is te c h n iq u e s ,
th is s e rv ic e id e n tifie s in je c te d m a lw a re and g e n e ra te s a la rm s b e fo re s e a rc h e n g in e s b la c k lis t
th e w e b s ite . T h is e n a b le s im m e d ia te re m e d ia tio n to p ro te c t c u s to m e rs , b u s in e s s re p u ta tio n ,
and revenues. It is accessed v ia e ith e r a w e b -b a s e d SaaS in te rfa c e or a fle x ib le API th a t
fa c ilita te s in te g r a tio n w it h e n te r p r is e s e c u rity to o ls .

Hacking Webservers
H a c k A le r t km ‫י ד י ״‬ ‫׳‬
Uf« UrOmmMWai A*
7 D*r• P«Pck1
]j ;‫ מ ז‬0 * 03
Jl “ ‫ ״־‬I
•1
r*M H #)
04 M m )
T«C4 S 4 m r«1f«1m f d 1$}
*<1MI^Mt 6
AV
T0MSc4nt
_‫__ע‬1*—J
\
‫•ג‬ 2• 10 <1 01 02
FIGURE 12.35: HackAlert Screenshot

Hacking Webservers
W e b S e r v e r M a lw a r e I n f e c t io n M o n it o r in g
T o o l: Q u a ly s G u a r d M a lw a r e D e te c tio n
C EH
toftNM tfeMjl NM
hM
QualysGuard® Malware Detection Service scans websites for malware infections and threats
4r C " >. .v0. https portaljûal/5.co‫׳‬n : -iashocard
if
l \ .
Step 5 of 5 Reiiew and ccnfim you setirgs o ‫ין^»כ‬0» ‫ ׳‬St-* 1*
Site Details 4‫־‬ ii C ‫־־•־־‬ porta .qjayicorr

1 Details ✓
w
2 ScM wttinj* 1/ Own Site 0LADTSClWR1y
seeUR. MOt
‫ג‬ Crawl exclusion llsls ✓ kttp: 17v/ww.mwrboy.1on
Tag•
Dashboard Scans Rtp«Xi Assets K/x>v*cdg«Oase
4 S<h*d*li*g </
AMgntd 1«-‫־‬n
0 H«v«m and CoWitm
Scan Options
Ptg«
200
ion Intone■(?
Nmtm
Ku l—»W. I..V 1mm,
)« • .( fw t '
Crawl •xaution list*
Wtire 11« (RmiiM Hnmunf*)
h t t p : / / w w w . q u a ly s . conr
Copyright © by EG-G(l]ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r M a l w a r e I n f e c t i o n M o n i t o r i n g T o o l:
Q u a l y s G u a r d M a l w a r e D e t e c t i o n
S ource: h t t p : / /w w w . q u a ly s .c o m
Q u a ly s G u a rd M a lw a r e D e te c tio n S e rv ic e scans w e b s it e s t h o r o u g h ly f o r m a lw a r e in fe c tio n s

a n d f o r a v a r i e t y o f t h r e a t s . It p r o v i d e s a u t o m a t e d a l e r t s a n d r e p o r t s t h a t e n a b l e y o u t o i d e n t i f y
a n d r e s o l v e t h e t h r e a t . It c a n a ls o b e u s e d t o p r o t e c t t h e c u s t o m e r s o f a n o r g a n i z a t i o n f r o m
m a l w a r e i n f e c t i o n s a n d s a f e g u a r d t h e i r b r a n d r e p u t a t i o n s , p r e v e n t i n g w e b s i t e b l a c k l is t in g . It
r e g u l a r l y s c h e d u l e s s c a n n i n g t o m o n i t o r w e b s i t e s o n a n o n g o i n g b a sis , w i t h e m a i l a l e r t s t o
q u ic k ly n o t if y o rg a n iz a tio n s w h e n in fe c tio n s a re d is c o v e re d . M a lw a r e in fe c tio n d e ta ils are
p r o v i d e d so t h a t o r g a n i z a t i o n s c a n t a k e q u i c k a c t i o n t o i s o l a t e a n d r e m o v e m a l w a r e .

Hacking Webservers
4- C fl 1‫ «׳‬iusi http! portal q u jty v c o m /p o n a i fro n t/ m o d u le /n u lw a r e / X tb 'd M X b o w d
Site Creation Turn h e lp tp s IOft X
Review and confirm your settings

Step 5 of 5
1 Sit• [)• tails ^ Sit• [)•tails

Title
2 S c a n settin g s y O w n S ite
SitiURL
3 C raw l e x clu s io n lists ✓ h ttp:// w w w .jugo vb oy .co m
S c h e d u lin g ✓ Tags
Aiagncd tags
0 R e v ie w an d Confirm
Scan Options
Maxnxjm Pages
?00
No head er? h ave b een defined.
Crawl •*elusion lists

to W hitoU ft
Wtur* I ! • fR«rk1iar F
1 3 = ■
© QtalysGuard Portal
Q la Quaiys.inc[US] 1
hrtps:;/portal.qualy£com/po al-trcnt/mocule/maiware/*ta =scans.scan-H stofy 0 1 £ =
0UALYSGUARD*
MDS Help Rini Matthews v‫■׳‬ 1
L >g Oul
Dashboard Scans Reports Assets KnowledgeBase 30 cays remanng in yourtnai. ipgraoe now
Scan M anagem ent
< Ba:k 10 scan list
Own Site
1 - 20 of 31 0 & 0 v■
Page URL Page Name High Med Low Info Status Seventy
0 httpy/www.juggytwy.com Hone 0 0 0 0 fin ish e d
□ hrtpy/www.jjggyboy.com'Lifestyift'styleflyndex. ‫׳‬itml 0 0 0 0 Canceled -
rj httpy/www.jjggyboy.comlGan 1es<'Slot_Hachne/hdex.htrl 0 0 0 0 Canceled -
0 hrtpy/www.jjggytMy.cofa'Games'IJinesweeper/index.T.ml 0 9 0 0 Canceled ‫־‬
F ] hrtpy/www.juggytoy.com'indexhtml 0 0 0 0 Canceled -
0 http^/ww w.ju ggyboy.coirtabout_re.'index htnl 0 I) 0 0 Canceled -
0 hctpy/Aww.jjggyboy.corrxsemfeld/ndex.T.nil 0 1) 0 0 Canceled ‫־‬
0 hctpy/Aww.jjcgyboy.com<5ueston_:he_rules‫'׳‬inCexl‫־‬tm 0 0 0 0 Canceled -
0 http://www.juggyboy.corrVKama/ndex.T.ml 0 D 0 0 Canceled -
About |Terns of Use |
FIGURE 12.36: QualysGuard Malware Detection Screenshot

Hacking Webservers
W e b s e rv e r S e c u rity Tools CEH
JH L f R e t‫׳‬na c s
http://www.beyondtrust.com
N -Stealth Security S canner

http://www.nstalker.com
NetlQ Secure Configuration

1 Infiltrator
M anager http://www.infiltration-systems.com
http://www.netiq.com
SAINTscanner W ebC ruiser

http://www.saintcorporation.com http://sec4app.com
HP W eb ln sp ect d o tD e fe n d e r
La\ https://download.hpsmartupdate.com http://www.applicure.com
W e b s e r v e r S e c u r i t y T o o ls
c W e b s e r v e r S e c u r it y t o o ls s c a n la rg e , c o m p le x w e b s it e s a n d w e b a p p lic a t io n s t o ta c k le
w e b -b a se d v u ln e ra b ilitie s . These to o ls id e n tify a p p lic a tio n v u ln e ra b ilitie s as w e ll as s ite
e xp o su re ris k , ra n k th re a t p rio rity , p ro d u ce h ig h ly g ra p h ic a l, in tu itiv e HTML re p o rts , and
in d ic a te s ite s e c u r ity p o s tu r e b y v u ln e r a b ilit ie s a n d t h r e a t le v e l. S o m e o f w e b s e rv e r s e c u rity
to o ls in c lu d e :
© R e t i n a CS a v a i l a b l e a t h t t p : / / w w w . b e y o n d t r u s t . c o m
© N s c a n a v a ila b le a t h t t p :/ / n s c a n . h y p e r m a r t . n e t
© N e tlQ S e c u re C o n fig u ra tio n M a n a g e r a v a ila b le a t h t t p : / / w w w . n e t iq . c o m
© S A IN T S c a n n e r a v a ila b le a t h t t p : / / w w w . s a in t c o r p o r a t io n . c o m
© HP W e b ln s p e c t a v a ila b le a t h t t p s :/ / d o w n lo a d .h p s m a r t u p d a t e . c o m
© A r ir a n g a v a ila b le a t h t t p : / / m o n k e y . o r g
© N -S te a lth S e c u rity S c a n n e r a v a ila b le a t h t t p : / / w w w . n s t a lk e r . c o m
© In f ilt r a t o r a v a ila b le a t h t t p :/ / w w w .in f ilt r a t io n - s y s t e m s .c o m
© W e b C r u is e r a v a ila b le a t h t t p :/ / s e c 4 a p p .c o m
© d o t D e fe n d e r a v a ila b le a t h t t p : / / w w w . a p p lic u r e . c o m

Hacking Webservers
M o d u l e F l o w
T h e w h o le id e a b e h in d e t h i c a l h a c k i n g is t o hack yo u r o w n n e tw o rk o r s y s te m in a n
a t t e m p t t o f in d t h e v u ln e r a b ilitie s a n d fix t h e m b e fo r e a rea l a tta c k e r e x p lo its t h e m s y s te m . As
a p e n e tra tio n te s te r, you s h o u ld conduct a p e n e tra tio n te s t on web s e rve rs in o rd e r to
d e t e r m i n e t h e v u l n e r a b i l i t i e s o n t h e w e b s e r v e r . Y o u s h o u l d a p p l y a ll t h e h a c k i n g t e c h n i q u e s f o r
h a c k in g w e b s e rv e r s . T h is s e c t io n d e s c r ib e s w e b s e r v e r p e n t e s t in g t o o ls a n d t h e s te p s in v o lv e d
in w e b s e r v e r p e n t e s t i n g .
R L )
A tta c k M e th o d o lo g y * W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r Pen T e s tin g ^ __ ^ W e b s e r v e r S e c u rity T o o ls
■1j P a tc h M a n a g e m e n t ■_ C o u n te r-m e a s u re s
■—

Hacking Webservers
Web Server Pen Testing Tool:

CORE Impact® Pro
CORE Impact® Pro is the software

solution for assessing and testing
security vulnerabilities in the
organization:
9 W e b A p p lic a tio n s
0 N e tw o r k S yste m s
e E n d p o in t system s
e W ire le s s N e tw o rk s
a N e tw o r k D e vices
e M o b ile D e vices
« IPS/IDS a n d o th e r d e fe n s e s
W e b S e r v e r P e n T e s t i n g T o o l : C O R E I m p a c t ® P r o
4
S ource: h tt p :/ / w w w . c o r e s e c u r it v . c o m
CORE I m p a c t ® P r o h e l p s y o u in p e n e t r a t i n g w e b s e r v e r s t o f i n d v u l n e r a b i l i t i e s / w e a k n e s s e s in
t h e w e b s e r v e r . By s a f e l y e x p l o i t i n g v u l n e r a b i l i t i e s in y o u r n e t w o r k i n f r a s t r u c t u r e , t h i s t o o l
id e n tifie s r e a l, t a n g i b l e ris k s t o in fo rm a tio n a s s e ts w h i l e te s tin g th e e ffe c tiv e n e s s o f y o u r
e x i s t i n g s e c u r i t y i n v e s t m e n t s . T h is t o o l is a b l e t o p e r f o r m t h e f o l l o w i n g :
© I d e n t i f y w e a k n e s s e s in w e b a p p l i c a t i o n s , w e b s e r v e r s , a n d a s s o c i a t e d d a t a b a s e s
© D y n a m ic a lly g e n e ra te e x p lo its t h a t can c o m p r o m is e s e c u rity w e a k n e s s e s
© D e m o n s tra te th e p o te n tia l c o n s e q u e n c e s o f a bre a ch
© G a th e r in fo rm a tio n necessary fo r a d d re s s in g s e c u rity is s u e s and p re v e n tin g d a ta

in c id e n ts

Hacking Webservers
Fie Yew Modiie* 00‫ז‬b Help
I. ' ■ I
N-‫״‬w SUt*J rh*h«l su |Sm |R‫״‬
ti
|Nt1»... a (74{20...
a /w o . Sto ôc. IvD
l_)L0al
*01 l.bodm 00MPATH rvplat ^ H r iS 3/2*120...
8/24^0. Phi.. 1iot. )«
y *CKriuwjt L1>.J Buffo Ovarflov! PrMtoe EsuriaUw ExvMi H|S*1•/‫־‬. *MX... 8/24/20. Fhl.. 40c. l«
_r:j *01 fin choc Local PrMfege Escalation E*ptat 8/24/20... 8/24/20. Phi.. ho
1^1 *0( ipdateJlMh PATHceaoe tw b t :gCradt... 8/24/20... 8/24/20. Fhl.. t«
JjJ *nti Keylogger Elte Pnttfcge EscalabonExpert jjtnstal... 8/2^20... 8/24/20. FW.. l«10
y *ade Mac os x Hlb Local pnvleoe Ef‫ *׳‬,*‫ ״״יי‬6'*'‫״״׳‬ ^ « e B ... 8/2^20... 8/24/20. FHI.. l«
g *u«at Artima ASAMON.SYSPlh-lege £•
im P H C ‫־‬ '*etw... 8/2^ 20... 8/ 21/20. 510.. no
& Bbe Coat K9Web■Protection Referer Priv *letw... 8/24/20... 8/24/20. Fhi.. hia
cachefsdQuffti O w rui o p bt 3 [
CDRTods R5Hlocal exploit &
‫ ־‬4‫־‬ P R O F E S S I O N A L
3rwl... 9/24/20... 6/24/30. Fhi.. (Jo
CSRSSfacenane ■exfôit 3 Set8/24/20 ...8/24/20 ...‫ ״‬. Fhi..
CctyNo |
2sJ EbyCOIO Cnvcr Pnvleo; Escalation E This produci is lc«nsed 10
ESETSmart Searity BPFW.SfS Privlegs I 3 $y«emlrfo |
EC-Council Haja Motadeen
Exin Alwrote ConfiQiraton Prwleê E3 1^!>
sf«5SD Dynamic Lrka Privies Esi 3 ‫־‬1‫ ־‬ti
IgJ PfeeQSOKernel Protosw Prr.-tegebsrdat Distribution k«y
S1 3 !»‫־‬3SCkOmet Lacal Privilege Escalation
PreeflSD mbufs asrdfile Ca<hePoso ^ ‫^ ״‬
FreeBSDmcxnt Locd Prlvleoe Escaiatton
gj PreeQSCpseudoâ NUU Ponter Qerefere[ Period
FreeBSDTebetd Serve* Prlvleoe Eacalati From : Tuesdav. December 28. 2010
*> QNUGibe ti.50 ORIGIN Prrvlege £sca 3 To ‫ ־‬Thursday June 30, 2011
GNUId.so*fcitrary Dlopsn Prtvtege Esca
rtPLnj* Imagnq .ard Prnbng local ex^n 3
Ggl BM DrectOf CiM Sever PtN‫־‬teoee9C3l3fl
| IS SSPjo-.er-Sde [ndude exok*i[
Igl netd confPrh‫־‬leoeE9ral31»nEwte‫׳‬t I Version 11.0.46 66 coongni • 2002010 ‫ ו‬core siuntv r«chn0109nt 0 t‫־‬ 3 ,‫ ״‬. , . ,
ID.PRELOADbuffe «v«Ibw 3 --------------------------
jjJ unioc kernel doJjrkO expbt
Linux Kernel Ext4 Mos-eExtents ICCTL Prlvlege EscjMot Explait 3 ( ]g N etw o rk A ttack a n d P e n etr a tio n
unux kernel rrremoo-urmap exploit
Linux Kernel RD5 PtoUkoI P1l«-leoeEfic4l<tnn Ewb't
‫זל‬1 .‫׳‬.■-v * . w i q » r * 1vvaP ‫ ׳‬MV<‫׳״‬r v«l«w t»nw< THs •01.1‫« •־‬itom«Cc4lv s«iects «xl l*j‫׳‬xhs atUdv.
WT/KHvierk RPT
J -■K: icartY icrngoac:
77879
TTfc •o).k ‫*־׳‬w veu AJtonuQulv selectandliuxhr• It «(U.li tMMJ 0r
r FUrr modiies by target scfvcuOv acqurvdinfct mston The Attach « 1dPprpbabortMrp utiixri
r SiswmacU«»vUo‫׳‬j t U « ‫׳‬. yevtxriy aeittrtO ‫ י׳«זגיזו«ו*י׳ו‬about the network (to‫ ׳‬nitanoc, bynnnn; 1t*>
!nfanubon S«tf*rrg ttap) to *utotnaQuly *elect «1dI*u1d1‫•׳‬nut■ jtU Ji
rjIWT fBMOdJw
fa w J 1 Uioethost tfis razord leajies tie folowiw nfo‫׳‬ntt00n fol fib
c*r fuw |
o F ¥ 1fid P fh f)‫ )׳‬,
FIGURE 12.37: CORE Impact* Pro Screenshot
Module 12 Page 1714 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil

Hacking Webservers
Web Server Pen Testing Tool:

Immunity CANVAS
Copyright © by EC-CWHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r P e n T e s t i n g T o o l : I m m u n i t y C A N V A S
x — S o u rce : h ttp ://w w w .im m u n ity s e c .c o m
CANVAS is an a u to m a te d e x p lo ita tio n s y s te m , and a c o m p re h e n s iv e , re lia b le e x p lo it
d e v e lo p m e n t fra m e w o rk fo r s e c u rity p ro fe s s io n a ls and p e n e tra tio n te s te rs . It a llo w s a pen
t e s t e r t o d i s c o v e r a ll p o s s ib le s e c u r i t y v u l n e r a b i l i t i e s o n t h e w e b s e r v e r .
Immunity CANVAS V»r: 0.47 | Cuir 11 S *ttlo n : ilvlciutl
♦ O 55 Cur»#r*
V j i ! MOV Slop Fiploc OS Cor#g Calfcack
Mod«ies S ti'th
DicHpUBn
l»s*r 0«An*d
N«v» Monthly I
CAWAS t>p‫׳‬c
Post E ipM Control
Commands fa*
Nodas
>D9S D«n<al of Sarvce Modules
>'coi MscTooa
> fWcon Recon ,fools
OWAS 5* ‫ז * ו ׳‬
< r»po‫׳‬tt*ô ‫ •׳‬t Cro*s » o l r!t«rfac
Post 9 Mod<i Ftc«rs >»4
Current Status C an v atlo q nebuq 1 oq OataVtaw

Status Action Start To k End Tun* information
Sal ( o M ttr iM t:
FIGURE 12.38: Immunity CANVAS Screenshot

Hacking Webservers
W eb S e rv e r P en T e s tin g CEH
Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses,
configuration errors, protocol related vulnerabilities, etc. in a web server
The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work
through all of the different application vulnerabilities
Verification of Vulnerabilities
To exploit the vulnerability in
order to test and fix the issue
W h y W e b s e rv e r
Pen T e s tin g ?
Remediation of Vulnerabilities Identification of Web Infrastructure
To retest the solution against To identify make, version, and update
vulnerability to ensure that it levels of web servers; this helps in
is completely secure selecting exploits to test for
associated published vulnerabilities
W e b S e r v e r P e n T e s t i n g
v , v , W eb s e rv e r p e n te s tin g w ill h e lp y o u t o id e n tify , a n a ly z e , a n d r e p o r t v u ln e ra b ilitie s
s u c h as a u th e n t ic a t io n w e a k n e s s e s , c o n fig u r a tio n e rr o r s , p r o t o c o l- r e la t e d v u ln e r a b ilitie s , e tc .
in a w e b s e rv e r. T o p e rfo rm p e n e tra tio n te s tin g , y o u need to c o n d u c t a s e rie s o f m e th o d ic a l
a n d r e p e a t a b l e t e s t s , a n d t o w o r k t h r o u g h a ll o f t h e d i f f e r e n t a p p l i c a t i o n v u l n e r a b i l i t i e s .
W h y W e b S e r v e r P e n T e s tin g ?
W e b s e r v e r p e n t e s t i n g is u s e f u l f o r :
0 Id e n tific a tio n o f W e b In fra s tru c tu re : T o id e n t if y m a k e , v e r s io n , a n d u p d a t e le v e ls o f

web s e rve rs; th is h e lp s in s e le c tin g e x p lo its to te s t fo r a s s o c ia te d p u b lis h e d
v u ln e ra b ilitie s .
© V e r i f i c a t i o n o f V u l n e r a b i l it ie s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
is s u e .
© R e m e d ia tio n o f V u ln e r a b ilitie s : T o r e t e s t t h e s o lu t io n a g a in s t v u ln e r a b ilit y t o e n s u r e

t h a t i t is c o m p l e t e l y s e c u r e .

Hacking Webservers
Web Server Penetration Testing C EH
START
e W e b s e rv e r p e n e tr a tio n te s tin g s ta rts w it h

c o lle c tin g as m u c h in f o r m a t io n as p o s s ib le
a b o u t a n o rg a n iz a tio n ra n g in g fro m its
U p h ysica l lo c a tio n t o o p e ra tin g e n v ir o n m e n t
U se s o c ia l e n g in e e rin g te c h n iq u e s t o c o lle c t
Search open sources in fo r m a tio n su ch as h u m a n re so u rce s,
Internet, newsgroups,
for inform ation about c o n ta c t d e ta ils , e tc . t h a t m a y h e lp in
the target
bulletin boards, etc.
W e b s e rv e r a u th e n t ic a t io n te s tin g
:
U se W h o is d a ta b a s e q u e ry t o o ls t o g e t th e
d e ta ils a b o u t th e ta r g e t su ch as d o m a in
Perform social Social networking, n a m e , IP a d d re ss, a d m in is tr a tiv e c o n ta c ts ,
engineering dumpster diving A u to n o m o u s S yste m N u m b e r, DNS, e tc .
N o te : R e fer M o d u le 0 2: F o o tp rin tin g a n d

R e con n aissan ce f o r m o re in fo r m a tio n
g a th e rin g te c h n iq u e s
Query the Whois Whois, Traceroute,
databases Active Whois, etc.
. — u 1 1‫ן‬
V
Document all □J
inform ation about ‫ ם‬1
the target
1‫ר ־ ־ ח‬ W e b S e r v e r P e n e t r a t i o n T e s t i n g
W e b s e r v e r p e n e t r a t i o n t e s t i n g s t a r t s w i t h c o l l e c t i n g as m u c h i n f o r m a t i o n as p o s s i b l e
a b o u t an o rg a n iz a tio n , ra n g in g f r o m its p h y s ic a l lo c a tio n to o p e ra tin g e n v iro n m e n t. The
f o l l o w i n g a r e t h e s e r ie s o f s t e p s c o n d u c t e d b y t h e p e n t e s t e r t o p e n e t r a t e w e b s e r v e r :
S t e p 1: S e a r c h o p e n s o u r c e s f o r i n f o r m a t i o n a b o u t t h e t a r g e t
T r y t o c o l l e c t as m u c h i n f o r m a t i o n as p o s s i b l e a b o u t t a r g e t o r g a n i z a t i o n w e b s e r v e r r a n g i n g
f r o m its p h y s i c a l l o c a t i o n t o o p e r a t i n g e n v i r o n m e n t . Y o u c a n o b t a i n s u c h i n f o r m a t i o n f r o m t h e
I n t e r n e t , n e w s g r o u p s , b u l l e t i n b o a r d s , e tc .
S t e p 2 : P e r f o r m S o c ia l e n g i n e e r i n g
P e r f o r m s o c ia l e n g i n e e r i n g t e c h n i q u e s t o c o l l e c t i n f o r m a t i o n s u c h as h u m a n r e s o u r c e s , c o n t a c t
d e t a i l s , e t c . t h a t m a y h e l p in w e b s e r v e r a u t h e n t i c a t i o n t e s t i n g . Y o u c a n a ls o p e r f o r m s o c ia l
e n g i n e e r i n g t h r o u g h s o c ia l n e t w o r k i n g s ite s o r d u m p s t e r d r i v i n g .
S te p 3: Q u e r y t h e W h o is d a ta b a s e s
Y o u c a n u s e W h o i s d a t a b a s e q u e r y t o o l s s u c h as W h o i s , T r a c e r o u t e , A c t i v e W h o i s , e t c . t o g e t
d e t a i l s a b o u t t h e t a r g e t s u c h as d o m a i n n a m e , IP a d d r e s s , a d m i n i s t r a t i v e c o n t a c t s , A u t o n o m o u s
S y s t e m N u m b e r , D NS, e tc .
S te p 4: D o c u m e n t a ll i n f o r m a t i o n a b o u t t h e t a r g e t

Hacking Webservers
Y o u s h o u l d d o c u m e n t a ll t h e i n f o r m a t i o n o b t a i n e d f r o m t h e v a r i o u s s o u r c e s .
N o te : R e fe r M o d u le 02 - F o o tp rin tin g and R e c o n n a is s a n c e fo r m o re in fo rm a tio n about
in fo rm a tio n -g a th e rin g te c h n iq u e s .

Hacking Webservers
Web Server Penetration Testing (E H

( C o n t'd ) (•rtifwd | tth«4l IlMlwt
F in g e rp rin t w e b s e rv e r t o g a th e r in fo r m a tio n
Fingerprint w eb ^ Use tools such as su ch as s e rv e r n a m e , s e rv e r ty p e , o p e ra tin g

s yste m s, a p p lic a tio n s ru n n in g , e tc . u sin g to o ls
serv er httprecon, ID Serve su ch as ID S e rve , h ttp r e c o n , a n d N e tc ra ft
‫י‬t
C ra w l w e b s ite t o g a th e r s p e c ific ty p e s
Use tools such as
Crawl w eb site o f in fo r m a tio n fro m w e b p a g es, su ch as
httprint, Metagoofil e m a il a d d re sse s
‫י‬1
E n u m e ra te W e b s erv er d ir e c to r ie s t o
E n u m erate w eb > Use tools such as
e x tr a c t im p o r ta n t in fo r m a tio n su ch as
d irectories DirBuster w e b fu n c tio n a litie s , lo g in fo r m s e tc.
P e rfo rm d ir e c to r y tra v e r s a l a tta c k t o access

Perform directory y Use automated tools
re s tric te d d ire c to rie s a n d e x e c u te c o m m a n d s
traversal attack such as DirBuster
o u ts id e o f t h e w e b s e rv e r's ro o t d ire c to ry
ijp p ) W e b S e r v e r P e n e t r a t i o n T e s t i n g ( C o n t ’ d )
1‫םםם‬ S t e p 5: F i n g e r p r i n t t h e w e b s e r v e r
P e r f o r m f i n g e r p r i n t i n g o n t h e w e b s e r v e r t o g a t h e r i n f o r m a t i o n s u c h as s e r v e r n a m e , s e r v e r
t y p e , o p e r a t i n g s y s t e m s , a p p l i c a t i o n s r u n n i n g , e t c . u s i n g t o o l s s u c h as ID S e r v e , h t t p r e c o n , a n d
N e tc ra ft.
S te p 6: P e r f o r m w e b s it e c r a w lin g
P e rfo rm w e b s ite c ra w lin g to g a th e r s p e c ific in fo rm a tio n fro m web pages, such as e m a i l

a d d r e s s e s . Y o u c a n u s e t o o l s s u c h as h t t p r i n t a n d M e t a g o o f i l t o c r a w l t h e w e b s i t e .
S te p 7: E n u m e ra te w e b d ir e c to r ie s
E n u m e ra te web server d ire c to rie s to e x tra c t im p o rta n t in fo rm a tio n such as web

f u n c t i o n a l i t i e s , l o g i n f o r m s , e t c . Y o u c a n d o t h i s b y u s i n g t o o l s u c h as D i r B u s t e r .
S te p 8: P e r fo r m a d ir e c to r y tr a v e rs a l a tta c k
P e rfo r m a d i r e c t o r y tr a v e r s a l a tt a c k t o access re s tric te d d ire c to r ie s a n d e x e c u te c o m m a n d s

o u t s i d e o f t h e w e b s e r v e r 's r o o t d i r e c t o r y . Y o u c a n d o t h i s b y u s i n g a u t o m a t e d t o o l s s u c h as
D irB u s te r.

Hacking Webservers
Web Server Penetration Testing (E H

( C o n t ’d ) (•rtifwd | tth«4l IlMlwt
Perform vulnerability scanning to

Examine HTTP response identify weaknesses in a network using
configuration files hijacking tools such as HP Weblnspect, Nessus,
etc. and determine if the system can be
exploited
Perform HTTP response splitting attack
__ y V
to pass malicious data to a vulnerable
Perform vulnerability Crack w eb server application that includes the data in an
a sse ssm e n t authentication HTTP response header
Perform web cache poisoning attack to
force the web server's cache to flush its
actual cache content and send a
♦
specially crafted request, which will be
Perform HTTP : Bruteforce SSH, FTP, stored in cache
re sp o n se splitting and oth er services Bruteforce SSH, FTP, and other services
login credentials to gain unauthorized
access
S' it Perform session hijacking to capture
valid session cookies and IDs. Use tools
W eb cache Perform session such as Burp Suite, Hamster, Firesheep,
poisoning attack hijacking etc. to automate session hijacking
W e b S e r v e r P e n e t r a t i o n T e s t i n g ( C o n t ’ d )
S te p 9: P e r f o r m v u l n e r a b i l i t y s c a n n in g
P e rfo rm v u ln e r a b ility s ca n n in g t o i d e n t i f y w e a k n e s s e s in a n e t w o r k u s i n g t o o l s s u c h as HP
W e b ln s p e c t , N essus, e tc . a n d d e t e r m in e if t h e s y s te m can be e x p lo ite d .
S te p 10: P e r fo r m a n HTTP r e s p o n s e s p lit t in g a tt a c k
P e r f o r m a n H TTP r e s p o n s e s p l i t t i n g a t t a c k t o p a ss m a l i c i o u s d a t a t o a v u l n e r a b l e a p p l i c a t i o n
t h a t i n c l u d e s t h e d a t a in a n HTTP r e s p o n s e h e a d e r .
S te p 11: P e r fo r m a w e b ca ch e p o is o n in g a tta c k
P e r f o r m a w e b c a c h e p o i s o n i n g a t t a c k t o f o r c e t h e w e b s e r v e r ' s c a c h e t o f l u s h its a c t u a l c a c h e
c o n t e n t a n d s e n d a s p e c i a l l y c r a f t e d r e q u e s t , w h i c h w i l l b e s t o r e d in t h e c a c h e .
S te p 12: B r u te fo r c e lo g in c r e d e n t ia ls
B r u t e f o r c e SSH, FTP, a n d o t h e r s e r v i c e s l o g i n c r e d e n t i a l s t o g a i n u n a u t h o r i z e d a c c e ss .
S te p 13: P e r fo r m s e s s io n h ija c k in g
P e r f o r m s e s s io n h i j a c k i n g t o c a p t u r e v a l i d s e s s io n c o o k i e s a n d IDs. Y o u c a n u s e t o o l s s u c h as
B u r p S u it e , H a m s t e r , F i r e s h e e p , e t c . t o a u t o m a t e s e s s io n h i j a c k i n g .

Hacking Webservers
Webserver Penetration Testing CEH

( C o n t ’d ) UrtifW4 j ttkKJi lUilwt
v
S Perform M ITM attack to access
sensitive information by
Perform MITM
intercepting and altering
attack communications between an end-
user and webservers
V
‫״‬ Note: Refer Module 13: Hacking
Perform w eb Web Applications for more
application pen information on how to conduct
testin g web application pen testing
V __________
a Use tools such as Webalizer,
Examine AWStats, Ktmatu Relax, etc. to
W e b s e rv e r logs examine web sever logs
V
S Use to o ls su ch as A c u n e tix ,
Exploit
M e t a s p lo it , w 3 a f, e tc . t o e x p lo it
fram ew o rk s fra m e w o r k s
Copyright © by EG-€t0ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r P e n e t r a t i o n T e s t i n g ( C o n t ’ d )
S te p 14: P e r fo r m a M I T M a tta c k
P e rfo rm a M IT M a tta c k to access s e n s itiv e in fo rm a tio n by in te rc e p tin g and a lte rin g
c o m m u n ic a tio n s b e tw e e n an e n d u s e r a n d w e b s e rv e rs .
S te p 15: P e r fo r m w e b a p p lic a tio n p e n te s tin g
P e rfo rm web a p p lic a tio n pen te s tin g to d e te rm in e w h e th e r a p p lic a tio n s a re p ro n e to
v u ln e r a b ilitie s . A t t a c k e r s c a n c o m p r o m is e a w e b s e rv e r e v e n w it h t h e h e lp o f a v u ln e r a b le w e b
a p p lic a tio n .
S te p 16: E x a m in e w e b s e r v e r logs
E x a m in e th e s e rv e r lo g s fo r s u s p ic io u s a c tiv itie s . You can do th is by u s in g to o ls such as
W e b a l i z e r , A W S t a t s , K t m a t u R e la x , e tc .
S te p 17: E x p lo it f r a m e w o r k s
E x p lo it t h e f r a m e w o r k s u s e d b y t h e w e b s e r v e r u s in g t o o ls s u c h as A c u n e tix , M e t a s p lo it , w 3 a f,
e tc .
S te p 18: D o c u m e n t a ll t h e fin d i n g s
S u m m a r i z e a ll t h e t e s t s c o n d u c t e d s o f a r a l o n g w i t h t h e f i n d i n g s f o r f u r t h e r a n a ly s is . S u b m i t a
c o p y o f th e p e n e tra tio n te s t re p o rt to th e a u th o riz e d p e rs o n .

Hacking Webservers
M o d u le S u m m a r y CEH
□ W eb servers assum e critical im portance in th e realm of Internet security
‫כ‬ Vulnerabilities exist in different releases of popular w ebservers and respective vendors
patch th e s e often
‫כ‬ The inherent security risks owing to th e com prom ised w ebservers have im pact on th e
local area netw orks th a t host th e se w ebsites, even on th e norm al users of w eb brow sers
□ Looking through th e long list of vulnerabilities th a t had been discovered and patched
over th e past few years, it provides an attacker am ple scope to plan attacks to unpatched
servers
□ Different tools/exploit codes aid an attacker in p erp etratin g w eb serv er's hacking
□ C ounterm easures include scanning for th e existing vulnerabilities and patching them
im mediately, anonym ous access restriction, incoming traffic req u est screening, and
filtering
‫■=־‬V '
y M o d u l e S u m m a r y
© W e b s e r v e r s a s s u m e c r it ic a l i m p o r t a n c e in t h e r e a l m o f I n t e r n e t s e c u r i t y .
© V u l n e r a b i l i t i e s e x is t in d i f f e r e n t r e l e a s e s o f p o p u l a r w e b s e r v e r s a n d r e s p e c t i v e v e n d o r s
p a tc h th e s e o fte n .
© T h e i n h e r e n t s e c u r i t y ris k s o w i n g t o t h e c o m p r o m i s e d w e b s e r v e r s i m p a c t t h e lo c a l a r e a
n e tw o r k s t h a t h o s t th e s e w e b s ite s , e v e n o n th e n o rm a l u s e rs o f w e b b ro w s e rs .
© L o o k in g t h r o u g h t h e lo n g lis t o f v u ln e r a b ilit ie s t h a t h a d b e e n d is c o v e r e d a n d p a t c h e d
o v e r t h e p a s t f e w y e a rs , it p ro v id e s a n a tta c k e r a m p le s c o p e t o p la n a tta c k s t o
u n p a tc h e d se rve rs.
© D i f f e r e n t t o o l s / e x p l o i t c o d e s a id a n a t t a c k e r in p e r p e t r a t i n g w e b s e r v e r ' s h a c k in g .
© C o u n te r m e a s u r e s in c lu d e s c a n n in g f o r th e e x is tin g v u ln e r a b ilitie s a n d p a tc h in g th e m
im m e d ia te ly , a n o n y m o u s a cce ss r e s tr ic tio n , in c o m in g tr a ffic r e q u e s t s c re e n in g , a n d
filte rin g .


CEHv8 Module 12 Hacking Webservers PDF

Uploaded by

Copyright:

Available Formats

You might also like

CEHv8 Module 12 Hacking Webservers PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 12 Hacking Webservers PDF

Uploaded by

Copyright:

Available Formats

H a c k in g W e b s e r v e r s

Engineered by Hackers. Presented by Professionals.

M o d u le 12 P ag e 1601 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

M o d u le 12 P ag e 1602 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

A n o n y m o u s O w n 3 r ‫ ׳‬s b io re a d s " S e c u r i t y l e a d e r o f # A n o n y m o u s (‫ ”׳‬O f f ic i a l m e m b e r " ) . " T h e

Last y e a r GoDaddy was pressured into opposing SOPA as c u s t o m e r s t r a n s f e r r e d d o m a i n s o f f t h e

Copyright © 2012 AOL Inc.

M o d u le 12 P ag e 1603 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

J IIS Webserver Architecture J Countermeasures

J Webserver Attack Methodology ‫־־‬L / ^ J Patch Management Tools

J Webserver Attack Tools J Webserver Security Tools

J Metasploit Architecture J Webserver Pen Testing Tools

J Web Password Cracking Tools J Webserver Pen Testing

C o p y rig h t © b y IG -C O H C il. A ll R ights R eserved. R e p ro d u c tio n is S tr ic tly P ro h ib ite d .

e IIS W e b Server A r c h ite c tu re e C o u n te rm e a su re s

M o d u le 12 P ag e 1604 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

A tta c k M e th o d o lo g y * W e b s e rv e r A tta c k Tools

W e b s e rv e r Pen Testing W e b s e rv e r Security Tools

This s e c tio n g ive s y o u b r i e f o v e r v i e w o f t h e w e b s e r v e r a n d its a r c h it e c t u r e . It w i ll also e x p la in

M o d u le 12 P ag e 1605 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

W ebserver M a rke t Shares

I_____________ I_____________ I_____________ I_____________ I_____________ I

Google Server | 1.2%

T h e f o l l o w i n g s ta tis tic s s h o w s t h e p e r c e n ta g e s o f w e b s i t e s u sin g v a r io u s w e b s e rv e rs . F ro m t h e

M o d u le 12 P ag e 1606 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Microsoft ‫ ־‬IIS 17.4%

FIGURE 12.1: Web Server Market Shares

M o d u le 12 P ag e 1607 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Open Source Webserver CEH

C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

M o d u le 12 P ag e 1608 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Site Users Site A d m in A ttacks

FIGURE 12.2: Open Source Web Server Architecture

M o d u le 12 P ag e 1609 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

IIS Web Server Architecture CEH

Svchost.exe + Application Pool

W in d o w s A c tiv a tio n Service

C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

IIS Web Server Architecture

The dia g ra m th a t fo llo w s illu s tra te s th e basic c o m p o n e n ts o f IIS w e b se rve r a rc h ite c tu re :

M o d u le 12 P ag e 1610 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

FIGURE 12.3: IIS Web Server Architecture

M o d u le 12 P ag e 1611 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Website Defacement CEH

Fie Ml‫ז‬ few Hep

Next target - microsoft.com

C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n Is S tric tly P ro h ib ite d .

W e b d e fa c e m e n t occurs w h e n an in tru d e r m a lic io u s ly a lte rs th e visual appe a ra n ce o f a w e b

M o d u le 12 P ag e 1612 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

World Wide Web B O ®

FIGURE 12.4: W ebsite D efacement

M o d u le 12 P ag e 1613 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .

Why Web Servers Are Compromised

0 W e b m a s te r's C o ncern: From a w e b m a s te r's p e rsp e ctive , th e biggest s e c u rity co n ce rn is

Q N e tw o rk A d m in is tr a to r 's C o n ce rn : From a n e tw o rk a d m in is tra to r's p e rsp e ctive , a

I_______ I_ I_ I_ I_______ I