Professional Documents
Culture Documents
CEHv8 Module 12 Hacking Webservers PDF
CEHv8 Module 12 Hacking Webservers PDF
CEHv8 Module 12 Hacking Webservers PDF
M o d u le 12
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
H a c k in g W ebservers
M o d u le 12
E th ic a l H a c k in g a n d C o u n te rm e a s u re s v 8
M o d u le 1 2 : H a c k in g W e b s e r v e r s
E xam 3 1 2 -5 0
G o D a d d y O u ta g e T a k e s D o w n M illio n s o f S ite s ,
A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility
M o n d a y , S e p te m b e r 1 0 th , 2 0 1 2
Final update: GoDaddy is up, and claims that the outage was due to internal errors
and not a DDoS attack.
According to many customers, sites hosted by major web host and domain registrar
GoDaddy are down. According to the official GoDaddy Twitter account the company is
aware of the issue and is working to resolve it.
Update: customers are complaining that GoDaddy hosted e-mail accounts are down as
well, along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming
responsibility, and makes it clear this is not an Anonymous collective action.
A tipster tells us that the technical reason for the failure is being caused bythe
inaccessibility of GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
h t tp : //te c h c r u n c h .c o m
S e c u r ity N e w s
Nnus
G o D a d d y O u ta g e T a k e s D o w n M illio n s o f S ite s ,
A n o n y m o u s M e m b e r C la im s R e s p o n s ib ility
S o u rc e : h t t p : / / t e c h c r u n c h . c o m
F ina l u p d a t e : G o D a d d y is u p, a nd c la im s t h a t t h e o u t a g e w a s d u e t o i n t e r n a l e r r o r s a n d n o t a
DDoS a tta c k .
A c c o r d i n g t o m a n y c u s t o m e r s , sites h o s te d by m a j o r w e b h o s t a n d d o m a i n r e g is t r a r G o D a d d y
a re d o w n . A c c o r d i n g t o t h e o f f i c i a l G o D a d d y T w i t t e r a c c o u n t , t h e c o m p a n y is a w a r e o f t h e
iss u e a n d is w o r k i n g t o r e s o lv e it.
U p d a t e : C u s t o m e r s are c o m p la i n i n g t h a t G o D a d d y h o s te d e - m a il a c c o u n ts a re d o w n as w e ll,
a lo n g w i t h G o D a d d y p h o n e s e rv ic e a n d all sites u s in g G o D a d d y 's DNS se rvice.
U p d a t e 2: A m e m b e r o f A n o n y m o u s k n o w n as A n o n y m o u s O w n 3 r is c l a i m in g r e s p o n s ib ilit y , a nd
m a k e s it c le a r th is is n o t an A n o n y m o u s c o lle c tiv e a c tio n .
A t i p s t e r te lls us t h a t t h e t e c h n ic a l r e a s o n f o r t h e fa i lu r e is b e in g c a u s e d by t h e in a c c e s s ib ility o f
G o D a d d y 's DNS s e rv e rs - s p e c ific a lly CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
a n d CNS3.SECURESERVER.NET a re fa i li n g t o re s o lv e .
By Klint Finley
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
M o d u le O b jec tiv es C EH
Urt1fW4 tt*H4i Nath*
J Why Web Servers are Compromised? J How to Defend Against Web Server
Attacks
J Impact of Webserver Attacks
J Webserver Attacks J Patch Management
^ M o d u le O b je c tiv e s
• — *> O ft e n , a b re a c h in s e c u r it y causes m o r e d a m a g e in t e r m s o f g o o d w i l l t h a n in a c tu a l
q u a n t i f i a b l e loss. T his m a k e s w e b s e r v e r s e c u r it y c r it ic a l t o t h e n o r m a l f u n c t i o n i n g o f an
o r g a n iz a tio n . M ost o rg a n iz a tio n s c o n s id e r th e ir web p re sence to be an e x te n s io n of
t h e m s e l v e s . This m o d u l e a t t e m p t s t o h ig h l i g h t t h e v a r io u s s e c u r it y c o n c e r n s in t h e c o n t e x t o f
w e b s e r v e r s . A f t e r f i n is h i n g t h is m o d u l e , y o u w i ll a b le t o u n d e r s t a n d a w e b s e r v e r a n d its
a r c h it e c t u r e , h o w t h e a t t a c k e r hacks it, w h a t t h e d i f f e r e n t ty p e s a tta c k s t h a t a t t a c k e r can c a rr y
o u t o n t h e w e b s e rv e rs a re , t o o l s u sed in w e b s e rv e r h a c k in g , e tc . E x p lo r in g w e b s e r v e r s e c u r it y
is a v a s t d o m a i n a n d t o d e lv e i n t o t h e f i n e r d e ta ils o f t h e d is c u s s io n is b e y o n d t h e s c o p e o f th is
m o d u l e . T his m o d u l e m a k e s y o u f a m i l i a r i z e w i t h :
e W h y W e b Servers A re C o m p r o m is e d ? e H o w t o D e fe n d A g a in s t W e b
S e r v e r A t ta c k s
e Im p a c t o f W e b s e r v e r A tta cks
e Patch M a n a g e m e n t
e W e b s e r v e r A ttacks
0 Patch M a n a g e m e n t T o o ls
e W e b s e r v e r A tta c k M e t h o d o lo g y
e W e b s e r v e r S e c u r ity T o o ls
Q W e b s e r v e r A tta c k Tools
e W e b s e r v e r Pen T e s tin g T o o ls
e M e ta s p lo it A r c h ite c tu re
e W e b Passw ord Cracking Tools e W e b s e r v e r Pen T e s tin g
M o d u le Flow CEH
M o d u le F lo w
T o u n d e r s t a n d h a c k in g w e b se rv e rs , f i r s t y o u s h o u ld k n o w w h a t a w e b s e r v e r is, h o w
it f u n c t io n s , a nd w h a t a re t h e o t h e r e le m e n t s a s s o c ia te d w i t h it. All th e s e a re s i m p l y t e r m e d
w e b s e r v e r c o n c e p ts . So f i r s t w e w i ll discuss a b o u t w e b s e r v e r c o n c e p ts .
4 m )
W e b s e rv e r Concepts W e b s e rv e r Attacks
-------------------
y Patch M a n a g e m e n t ■ —
C ou nter-m easures
■ —
Apache 64.6%
Microsoft - IIS
LiteSpeed I 1.7%
W e b S e rv e r M a r k e t S h a re s
S o u rc e : h t t p : / / w 3 t e c h s . c o m
Apache t כ
6 4 .6 %
Nginx 13 %
LiteSpeed
Google Server
Tomcat
Lighttpd
־J --------- ►
10 20 30 40 50 60 70 80%
r I ©
:11 a □
Linux
1 I— *—־ I
File System ........ Apache Email
^ מ י ג יני
PHP
Applications MySQL i f
י C o m p ile d E x te n s io n
O p e n S o u rc e W e b S e rv e r A r c h ite c tu r e
H
T h e d ia g r a m b e l l o w i llu s tr a te s t h e basic c o m p o n e n t s o f o p e n s o u r c e w e b s e rv e r
a r c h it e c t u r e .
& * A ־׳
1 U
Internet
Linux
File System
J F M
V A p ach e Email
PHP
"־ f
A p p lic a tio n s M yS Q L y
Compiled Extension
W h e re ,
© L in u x - t h e s e rv e r's o p e r a t i n g s y s te m
© A p a c h e - t h e w e b s e rv e r c o m p o n e n t
© M y S Q L - a r e l a t io n a l d a ta b a s e
© PHP - t h e a p p li c a t i o n la y e r
In te rn e t In fo rm a tio n
Client Services (IIS) fo r W indow s
Server is a flexible , secure,
HTTP Protocol and easy-to-m anage w eb
i * a f t p Stack (HTTP.SYS) server fo r hosting anything
on th e w eb
Kernel M ode
User M ode :■
Client
HTTP Protocol
Internet Stack (HTTP.SYSI
Kernel M ode
User Mode
Svchost.exe A p p lica tio n Pool
W in d o w s A c tiv a tio n S e rv ic e
(W A S )
Web Server Core Native M odules AppD om ain
WWW Service
B e g in r e q u e s tp r o c e s s in g / Anonym ous Managed
a u t h e n t ic a t io n , a u t h e n t ic a t io n ,
Modules
a u t h o r iz a t io n , c a c h e M a n a g e d e n g in e , IIS
r e s o lu tio n , h a n d le r c e r t if ic a t e m a p p in g ,
m a p p in g , h a n d le r p re * s ta t ic file , d e f a u lt Forms
e x e c u tio n , r e le a s e s ta te , d o c u m e n t , H TTP c a c h e ,
u p d a te c a c h e , u p d a te
Authentication
application H T T P e r r o r s , a n d H TTP
lo g , a n d e n d re q u e s t
lo g g in g
Host.config p r o c e s s in g
visual appearance o f a w eb
page by inserting or
sub stituting provocative and
fre que ntly offending data Y o u a re O W N E D !!!!!!!
J Defaced pages exposes visitors
to som e propaganda or
misleading info rm atio n until HACKED!
the unauthorized change is
discovered and corrected
Hi Master, Your website owned
by US, Hacker!
Website Defacement
W e b s ite d e fa c e m e n t is a process o f changin g th e c o n te n t o f a w e b s ite o r w e b page
by hacke rs. H ackers b rea k in to th e w e b servers and w ill a lte r th e hosted w e b s ite by cre a tin g
s o m e th in g new .
,יי
U n n e c e s s a ry d e fa u lt, b a c k u p , o r I n s t a ll in g t h e s e r v e r w i t h d e f a u l t
s a m p le f il e s s e t t in g s
S e c u r it y c o n f li c t s w i t h b u s in e s s e a s e - o f - Im p r o p e r f ile a n d
use case d i r e c t o r y p e r m is s io n s
M i s c o n f ig u r a t io n s in w e b s e r v e r , o p e r a t i n g s y s te m s , D e f a u lt a c c o u n t s w i t h t h e i r d e f a u l t o r n o
a n d n e tw o rk s p a s s w o rd s
L a c k o f p r o p e r s e c u r it y p o lic y , p r o c e d u r e s , a n d S e c u r it y f la w s in t h e s e r v e r s o f t w a r e , O S a n d
m a in t e n a n c e a p p li c a t io n s
B u g s in s e r v e r s o f t w a r e , O S , a n d M i s c o n f ig u r e d SSL c e r t if ic a t e s a n d e n c r y p t io n
w e b a p p l ic a t io n s s e t t in g s
Im p r o p e r a u t h e n tic a tio n w it h e x te r n a l U s e o f s e lf - s ig n e d c e r t if ic a t e s a n d
s y s te m s d e f a u l t c e r t if i c a t e s
A d m i n i s t r a t i v e o r d e b u g g in g f u n c t i o n s t h a t a r e U n n e c e s s a r y s e r v ic e s e n a b le d , in c lu d in g c o n t e n t
e n a b le d o r a c c e s s ib le m a n a g e m e n t a n d r e m o te a d m in is tr a tio n
Cause C onsequence
©
Data tampering Website defacement
Q D ata ta m p e rin g : A tta c k e r can a lte r o r d e le te th e data. He o r she can even replace th e
data w ith m a lw a re so th a t w h o e v e r co n n e cts to th e w eb se rve r also becom es
c o m p ro m is e d .
M o d u le Flow CEH
Module Flow
C o n sid erin g th a t yo u becam e fa m ilia r w ith th e w e b se rve r concepts, w e m ove fo rw a rd
to th e possible a tta cks on w e b se rve r. Each and e ve ry a ctio n on o n lin e is p e rfo rm e d w ith th e
he lp o f w e b server. Hence, it is c o n s id e re d as th e critic a l source o f an o rg a n iz a tio n . This is th e
sam e reason fo r w h ic h a tta c k e rs are ta rg e tin g w e b server. T here are m a n y a tta c k te c h n iq u e
used by th e a tta c k e r to c o m p ro m is e w e b server. N o w w e w ill discuss a b o u t th o s e a tta c k
te c h n iq u e s .
a tta c k , HTTP response s p littin g a tta ck, w e b cache p o iso n in g a tta ck, h ttp response hijacking,
w e b a p p lic a tio n a tta cks, etc.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
^ A tta c k M e th o d o lo g y ^ W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g J 3 W e b s e r v e r S e c u rity T o o ls
- y P a tch M a n a g e m e n t ■— C o u n te r-m e a s u re s
■—
i n f r a s t r u c t u r e t h a t c a n b e e x p lo it e d t o la u n c h v a r io u s a tta c k s o n w e b s e rv e r s s u c h as d ir e c t o r y
e x p l o i t e d a n d r e s u l t in t h e t o t a l c o m p r o m i s e o f a w e b s i t e .
© R e m o te a d m in is tr a tio n fu n c tio n s ca n be a s o u rc e fo r b re a k in g d o w n th e s e rv e r f o r th e
a tta c k e r.
© S o m e u n n e c e s s a r y s e rv ic e s e n a b le d a re a ls o v u ln e r a b le t o h a c k in g .
0 M i s c o n f i g u r e d / d e f a u l t SSL c e r t i f i c a t e s .
© V e rb o se d e b u g /e rro r m essages.
© A n o n y m o u s o r d e fa u lt u s e rs /p a s s w o rd s .
© S a m p le c o n f ig u r a t io n a n d s c r ip t file s .
This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about
the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed
php.ini file
d i s p l a y _ e r r o r = On
l o g _ e r r o r s = On
e r r o r _ lo g = s y s lo g
ig n o r e r e p e a t e d e r r o r s = O ff
in fo rm a tio n a b o u t th e c u r r e n t use o f th e w e b s e rv e r, in c lu d in g in f o r m a t io n a b o u t t h e c u r r e n t
h o s ts a n d r e q u e s ts b e in g p ro c e s s e d .
C o n s id e r a n o t h e r e x a m p le , t h e p h p .in i file .
d is p la y _ e rro r = On
lo g _ e rro rs - On
e rro r_ lo g = s y s lo g
ig n o re re p e a te d e rro rs = O ff
3 j My Computer
Volume in drive C has no label.
+1 £ 3Vb floppy (A:)
Volume Serial Number is D45E-9FEE
/ יLocal Disk ((
I B Ctocumcnte and Scttngs
! H t J Inetpub
http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:\
r o o t d i r e c t o r y a n d a c c e s s s e n s it iv e i n f o r m a t i o n in t h e s y s t e m .
D ire cto ry o f C :\
0 6 /0 2 /2 0 1 0 1 1 :3 1 A M 1,024 .rnd
S tr in g a u th o r = Set-Cookle: author=JasonTheHacker
r e q u e s t . getParam eter(A U TH O R _PA HTTP/1.1200 OK
RAM) ;
C o o k ie c o o k ie = new
Second R esponse
C o o k ie ( " a u t h o r ״, a u t h o r ) ;
c o o k i e . s e tM a x A g e ( c o o k ie E x p ir a t
io n ) ; HTTP/1.1 200 OK
r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
S tr in g a u th o r = Set-Cookie; author=JasonTheHacker
o r e q u e s t . getParam eter(A UTH OR_PA HTTP/1.1 200 OK
RAM) ;
C o o k ie c o o k ie = new S e c o n d R e sp o n se
C o o k ie ( " a u t h o r " , a u t h o r ) ;
Si c o o k i e . s e tM a x A g e (c o o k ie E x p ira t
05 io n ) ; HTTP/1.1200 OK
CO r e s p o n s e . a d d C o o k ie ( c o o k ie ) ;
P o is o n e d S e rv e r C ache
i n t e r m e d i a t e w e b c a c h e s o u r c e , in w h i c h h o n e s t c o n t e n t c a c h e d f o r a r a n d o m U R L is s w a p p e d
w e b cache.
p o i s o n i n g is e x p l a i n e d i n d e t a i l w i t h a s t e p - b y - s t e p p r o c e d u r e .
A ddm \
Host: juggyboy.com
A t t a c k e r r e q u e s ts a ju g g Y b o y .c o m
a g a in t o g e n e r a te c a c h e e n t r y
GET ......... ..........■>
h ttp ://ju g g y b o y .c o m /in d e x .h tm l The ind
A tta ck!;e r g e ts th e second _>_ 1_ res!.ponse o f
H TTP /1.1 H ost: te s ts ite .c o m
U s e r-A g e n t: M o z illa /4 .7 [e n ] . ׳W re q u e s t o f onse ^ יrequ
(W ln N T ; I) that p o in t! t o
:k e f's page
A c c e p t-C h a rs e t iso -8 8 5 9 ־l , ״,utf-8
Address 1‘ igr
www.JuKjjyt>yy־com AtUckvr'kp^w
P o is o n e d S e r v e r C a c h e
1^1 SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer
unencrypted data over an insecure network
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tun nel
q SSH tunnels can be used to tra n s m it m alw ares and o th e r exploits to victim s w ith o u t being
detected
I
M a il S e r v e r
F ile S e r v e r
A ttacker
I
Mail Server
Attacker
J A ttacker acts as a proxy such th a t all the com m unication betw een the user and Webserver passes
through him
N o rm a l T ra ffic
\p oO* ••
■t j Webserver
Q "־
A tta c k e r
Man־in־the־Middle Attack
A m a n - i n - t h e - m i d d l e a t t a c k is a m e t h o d w h e r e a n i n t r u d e r i n t e r c e p t s o r m o d i f i e s t h e
s u c h as o n lin e b a n k in g d e ta ils , u s e r n a m e s , p a s s w o r d s , e tc . t r a n s f e r r e d o v e r t h e I n t e r n e t t o t h e
w e b s e rv e r. T h e a tta c k e r lu re s t h e v ic tim to c o n n e c t to th e w e b s e rv e r th ro u g h b y p re te n d in g
n &
U s e r v is it s a w e b s it e N o r m a l T r a ffic
*
U User ^ ־־
> •״
© .
A t t a c k e r s n iffs t h e
c o m m u n iic
c a t io n t o ;
* * * .. '''• ^ 9 0 s te a lI s e s s io n ID s
es ..* <e^
© ־
.•* , . , w
( f t v
.•־ , יי5''.•־
A ••‘ ‘
Attacker
W e b s h a re s
A tta c k e rs m a in ly ta rg e t:
© SSH tu n n e ls
© FTP servers
© SMTP servers
© W e b shares
4 Hybrid
Attack
A hybrid attack
works similar to
dictionary attack,
but it adds numbers
or symbols to the
password attempt
© G u e s s i n g : A c o m m o n c r a c k i n g m e t h o d u s e d b y a t t a c k e r s is t o g u e s s p a s s w o r d s e i t h e r b y
h u m a n s o r b y a u t o m a t e d to o ls p r o v id e d w it h d ic tio n a rie s . M o s t p e o p le te n d t o u s e h e ir
th e m e a s ily . T h e s a m e t h i n g a llo w s t h e a t t a c k e r t o c r a c k p a s s w o r d s b y g u e s s in g .
© D i c t i o n a r y A t t a c k : A d i c t i o n a r y a t t a c k is a m e t h o d t h a t h a s p r e d e f i n e d w o r d s o f v a r i o u s
c o m b in a t io n s , b u t t h is m i g h t a ls o n o t b e p o s s ib le t o b e e f f e c t i v e i f t h e p a s s w o rd c o n s is ts
o f s p e c i a l c h a r a c t e r s a n d s y m b o l s , b u t c o m p a r e d t o a b r u t e f o r c e a t t a c k t h i s is l e s s t i m e
c o n s u m in g .
© B ru te F orce A tta c k : In t h e b ru te fo rc e m e th o d , a ll p o s s ib le c h a ra c te rs a re te s te d , fo r
t h i s t y p e o f m e t h o d is u s e f u l t o i d e n t i f y o n e - w o r d o r t w o - w o r d p a s s w o rd s . W h e re a s if a
t a k e m o n t h s o r y e a r s t o c r a c k t h e p a s s w o r d , w h i c h is p r a c t i c a l l y i m p o s s i b l e .
! , I f
rOss .
Site At, '°n
enia'0f.s rg e ,
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
D ire c to ry T ra v e rs a l
D ire c to ry tra v e rs a l is e x p lo ita tio n o f HTTP th ro u g h w h ic h a tta cke rs are able to access
re s tric te d d ire c to rie s and e x e cu te co m m a n d s o u ts id e o f th e w e b se rve r ro o t d ire c to ry
by m a n ip u la tin g a URL.
P a r a m e te r /F o rm T a m p e rin g
C o o k ie T a m p e r in g
C o m m a n d In je c tio n A tta c k s
C r o s s - S it e S c r i p t i n g (X S S ) A t t a c k s
U n v a l i d a t e d I n p u t a n d F ile i n j e c t i o n A t t a c k s
C r o s s - S it e R e q u e s t F o r g e r y (C S R F ) A t t a c k
S e s s io n H ija c k in g
M o d u le Flow CEH
Module Flow
_ So fa r w e have d is c u s s e d web s e rv e r c o n c e p ts and v a rio u s te c h n iq u e s used by th e
s e rve rs.
1 We b s e r v e r C o n c e p t s W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y W e b s e r v e r A t t a c k T o o ls
W e b s e rv e r P en T e s tin g i ) W e b s e r v e r S e c u rity T o o ls
y P a tc h M a n a g e m e n t C o u n te r-m e a s u re s
■—
■—
T h is s e c tio n p r o v id e s in s ig h t in to t h e a t t a c k m e t h o d o lo g y a n d t o o ls t h a t h e lp a t v a r io u s s ta g e s
o f h a c k in g .
M o d u le 1 2 P a g e 1 6 3 6 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
H a c k in g W e b s e r v e r s
In fo rm a tio n W e b s e rv e r
G a th e rin g F o o tp rin tin g
V u ln e ra b ility H acking
S c a n n in g W eb serv er P a ssw o r d s
trie s to g a th e r m o r e in fo rm a tio n a b o u t lo o p h o l e s a n d tr ie s t o g a in u n a u t h o r iz e d a c ce ss t o t h e
w e b s e rv e r. T h e s ta g e s o f w e b s e rv e r a t t a c k m e t h o d o lo g y in c lu d e :
I n f o r m a t io n G a th e r in g
E v e ry a t t a c k e r t r ie s t o c o lle c t as m u c h in fo rm a tio n as p o s s ib le a b o u t t h e t a r g e t w e b
0
se rve r. O n ce th e in fo rm a tio n is g a t h e r e d , h e o r s h e t h e n a n a l y z e s t h e g a t h e r e d in fo rm a tio n in
o r d e r t o f i n d t h e s e c u r i t y la p s e s in t h e c u r r e n t m e c h a n i s m o f t h e w e b s e r v e r .
( W e b S e rv e r F o o tp r in tin g
T h e p u r p o s e o f f o o t p r i n t i n g is t o g a t h e r m o r e i n f o r m a t i o n a b o u t s e c u r i t y a s p e c t s o f a
w e b s e r v e r w i t h t h e h e l p o f t o o l s o r f o o t p r i n t i n g t e c h n i q u e s . T h e m a i n p u r p o s e is t o k n o w
M i r r o r i n g W e b s ite
W 4 J )
W e b s ite m irro rin g is a m e t h o d o f c o p y in g a w e b s ite and its c o n te n t o n to a n o th e r
s e rv e r fo r o fflin e b ro w s in g .
V u ln e r a b ilit y S c a n n in g
M o d u le 1 2 P a g e 1 6 3 7 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
S e s s io n H i j a c k i n g
H a c k in g W e b S e rv e r P a s s w o rd s
http://www. whois.net
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
Every a tta c k e r b e fo re hacking fir s t c o lle cts all th e re q u ire d in fo rm a tio n such as ve rsio n s and
te c h n o lo g ie s being used by th e w e b server, etc. A tta c k e rs search th e In te rn e t, n e w sgroup s,
b u lle tin boards, etc. fo r in fo rm a tio n a b o u t th e c o m p a n y. M o s t o f th e a tta c k e rs ' tim e is sp e n t in
th e phase o f in fo r m a tio n g a th e rin g o n ly. T h a t's w h y in fo rm a tio n g a th e rin g is b o th an a rt as
w e ll as a science. T he re are m a ny to o ls th a t can be used fo r in fo rm a tio n g a th e rin g o r to g et
d e ta ils such as a d o m a in nam e, an IP address, o r an a u to n o m o u s system n u m b e r. The to o ls
in clu d e :
e W h o is
e T ra c e ro u te
e A c tiv e W h o is
e N m ap
0 A n g ry IP Scanner
e N e tc a t
W h o is
#
W H O is .n e t
Your Domain Starting Place...
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://w w w .internic.net
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitDr.com
Referral URL: http://www.markmonitor.com
Name Server: SJC-DNS1.EBAYDNS.COM
Name Server: SJC-DNS2.EBAYDNS.COM
Name Server: SMF-DNS1.EBAYDNS.COM
Name Server: SMF-DNS2.EBAYDNS.COM
Status: dientDeleteProhibited
Status: dientTransferProhibited
Status: dientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 15-sep2010־
Creation Date: 04-aug-1995
Expiration Date: 03-aug2018־
«
N e tc ra ft
r iE T C K A F T
S e a r c h W e b b y D o m a in
E x p lo re 1 ,0 4 5 .7 4 5 w e b s it e s v is ite d by u s e r s o f th e N e tc ra ft T o o lb a r 3 rd A u g u s t 2 0 1 2
S e a rc h : s e a r c h t ip s
R e s u lt s f o r m ic r o s o f t
S ite S ite R e p o r t F ir s t s e e n N e tb lo c k OS
1. w w w .m ic r o s o ft.c o m a a u g u st 1995 m ic r o s o f t c o rp c it r ix n e ts c a le r
2. s u p p o r t . m ic r o s o f t . c o m m o c to b e r 1 9 9 7 m ic r o s o f t c o rp unknow n
3. t e c h n e t . m ic r o s o f t . c o m m a u g u st 1999 m ic r o s o f t c o rp c it r ix n e ts c a le r
4. w in d o v < s .m ic ro s o ft.c o m 0 ju n e 1 9 9 8 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
5. m s d n . m ic r o s o f t . c o m a S e p te m b e r 1 9 9 8 m ic r o s o f t c o rp c it r ix n e ts c a le r
6. o f f ic e . m ic r o s o f t . c o m £1 n o ve m b e r 1998 m ic r o s o f t c o rp unknow n
7. s o c ia l. t e c h n e t . m ic r o s o f t . c o m a august 2008 m ic r o s o f t c o rp c it r ix n e ts c a le r
9. v 4 w w .u p d a te .m ic r o s o ft.c o m a m ay 2007 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
1 0 . s o c ia l. m s d n . m ic r o s o f t . c o m 0 august 2008 m ic r o s o f t c o rp c it r ix n e ts c a le r
1 1 . g o .m ic r o s o f t . c o m a
novem ber 2001 m s h o t m a il c it r ix n e ts c a le r
1 2 . w in d o w s u p d a te .m ic r o s o f t . c o m a fe b u a ry 1 9 9 9 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
1 3 . u p d a t e . m ic r o s o f t . c o m fe b u a ry 2 0 0 5 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
a
1 5 . s e a r c h . m ic r o s o f t . c o m m ja n u a r y 1 9 9 7 a k a m a i i n t e r n a t io n a l b .v l in u x
1 8 . w e r .m ic r o s o f t . c o m IB o c to b e r 2 0 0 5 m ic r o s o f t c o rp w in d o w s s e r v e r 2 0 0 8
Name
Server query process ng
a Oracle Application Server 10g 10.1.2.2.0
•S Sun Java System W eb Server 7.0 (3 Server gws
• Abyss 2.5.0.0 X1 Content-Length: 221 F
V Apache 2.0.52 X־XSS־Protectior: 1; mode-block
V Apache 2.2.6 X־Frome־Options: SAMEORIGIN ■
V r u — 1— n c n_________________________ Connection: close
Ready
The seivef identified Ise* a s :
http://www.computec.ch (4
http://www.grc.com
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
H t t p r e c o n a n d ID S e r v e .
H ttp re c o n
H t t p r e c o n is a t o o l f o r a d v a n c e d w e b s e r v e r f i n g e r p r i n t i n g . T h e h t t p r e c o n p r o j e c t is d o i n g s o m e
r e s e a r c h i n t h e f i e l d o f w e b s e r v e r f i n g e r p r i n t i n g , a l s o k n o w n a s h t t p f i n g e r p r i n t i n g . T h e g o a l is
t h e e a s e a n d e ffic ie n c y o f th is k in d o f e n u m e r a t i o n .
M o d u le 1 2 P a g e 1 6 4 3 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
GET existing | GET long request | GET non-existing \ GET wrong protocol | HEAD existing | OPTIONS common
H T T P/1.1 200 OK
D a te : T hu, 11 O ct 2012 0 9 :3 4 :3 7 GMT
S e r v e r : A pache
e x p i r e s : T hu, 01 Dec 1994 1 6 :0 0 :0 0 GMT
c a c h e - c o n t r o l : n o -c a c h e
p ra g m a: n o -c a c h e
S e t- C o o k ie : A LT _ID =007f010021bb479ddSaa005S; E x p ir e s = F r i , 11 O ct 2013
0 9 :3 4 :3 7 GMT; P a th = /; D o m a in = .n y tim e s. com;
S e t - c o o k i e : a d x c a = - ; p a t h = / ; d o m a in = .n y tim e s . com
V a ry : H o st
ID S e rv e
ID Serve is a s im p le In te rn e t se rve r id e n tific a tio n u tility . ID Serve can a lm o s t alw ays id e n tify th e
m ake, m o d e l, and v e rs io n o f any w e b s ite 's s e rv e r s o ftw a re . This in fo rm a tio n is usually se n t in
th e p re a m b le o f re plie s to w e b q u e rie s, b u t it is n o t sh o w n to th e user. ID Serve can also
c o n n e c t w ith n o n -w e b servers to receive and re p o rt th a t se rve r's g re e tin g message. This
g e n e ra lly reveals th e server's m ake, m o d e l, ve rsio n , and o th e r p o te n tia lly u seful in fo rm a tio n .
S im ply by e n te rin g any IP address, ID Serve w ill a tte m p t to d e te rm in e th e a sso cia te d d o m a in
nam e.
G ID Serve
I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .0 2
ID S e r v e P e r s o n a l S e c u r ity F r e e w a r e
Enter or copy ! paste an Internet server URL or IP address here (example: www.microsoft.com):
1 w w w .g o o g le .c o m |
M irro r a website to create a com plete profile o f the site's d ire cto ry stru cture , files stru cture , external links, etc
Search fo r com m ents and o th e r items in the HTML source code to make fo o tp rin tin g activities more efficient
Use tools HTTrack, W ebCopier Pro, B lackW idow , etc. to m irro r a website
w m r
l
ave
d 320.26*8 W
ai
c r
tB!
til . MyWebSltes Tiro. 2nr22» 1
4
I
rai
rf“
־r
*e 08* t
f.
1 9
KB
/
») F
J
rc
d
cd
af
ed. 0
ש Program Files
It) *. Program Files MJ6( 4
Ac*veconnect!one 1 Erwi 0
i 111 lh«s
til h Windows
j- -t ; NTUSSR.DAT
7;
M e
n*
:
http://w
J□
ww.htrock.com
C o p y rig h t © b y EG-GlU IICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
to o ls u s e d f o r w e b s e rv e r m ir r o r in g in c lu d e H T T ra c k , W e b r ip p e r 2 .0 , W in W S D , W e b c o p ie r , a n d
B la c k w id o w .
H T T r a c k is a n o f f l i n e b r o w s e r u t i l i t y . I t a l l o w s y o u t o d o w n l o a d a W o r l d W i d e W e b s i t e f r o m t h e
I n t e r n e t t o a lo c a l d i r e c t o r y , b u i l d i n g r e c u r s i v e l y a ll d i r e c t o r i e s , g e t t i n g H T M L , im a g e s , a n d o t h e r
file s fro m th e se rve r to your c o m p u te r. H T T ra ck a rra n g e s th e o rig in a l s ite 's re la tiv e lin k -
s t r u c t u r e . S im p ly o p e n a p a g e o f t h e " m i r r o r e d " w e b s i t e in y o u r b r o w s e r , a n d y o u c a n b r o w s e
M o d u le 1 2 P a g e 1 6 4 6 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
a i. in e tp u b Information
B In te l Bytes saved: 320.26KB Links scanned: 2/14 (.13)
B j M y W e b S ite s Time: 2min22s Files written: 14
g ) • • J j P r o g ra m Files Transferrate: OB/s (1.19MB/3) Fles updated: 0
a ׳J j P r o g ra m Files (x86) Active connections: 1 Errors: 0
& J 1 U sers
a W in d o w s [Actions
L Q N T U S E R .D A T
a a L o c a l D is k < D :>
a ^ D V D R W D riv e <E:>
El , . N e w V o lu m e <F :>
Use a vulnerability scanner such as HP Weblnspect, J Test the web server infrastructure for any
Nessus, Zaproxy, etc. to find hosts, services, and misconfiguration, outdated content, and known
vulnerabilities vulnerabilities
N essus
t h a t e n h a n c e u s a b i l i t y , e f f e c t i v e n e s s , e f f i c i e n c y , a n d c o m m u n i c a t i o n w i t h a ll p a r t s o f y o u r
o rg a n iz a tio n .
ig not found items hiding CSS image and gereral aina rr content 1iS -g .l«-e=pcn=e= hiding empty folders
S u ite , H a m s te r , F ire s h e e p , e tc .
B u r p S u ite
___ S o u r c e : h t t p : / / p o r t s w i g g e r . n e t
t o o l, r e p e a te r t o o l, s e q u e n c e r t o o l, e tc .
M o d u le 1 2 P a g e 1 6 5 0 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
b u r p s u it e f r e e e d i t i o n v 1 .4 .0 1
0- ^ 1־ x
b u rp in tru d e r r e p e a te r w in d o w about
s ite m a p \ scope |
p a s s iv e ly s c a n th is b ra n c h
O- CDBU
O- D cn e n g a g e m e n t to o ls [p ro v e rs io n o n ly] ►
0 □ ־E L I c o m p a re s ite m a p s
0 ־O eu e x p a n d b ra n c h sponse re q u e s t
e x p a n d re q u e s te d Ite m s
M ' ]־ p a ra m s ■' h e a d e rs | hex |
d e le te b ra n c h
T / . e l e r o e n c / 3 3 i / i n c l / b r e a k i n g _ n e v s / 3 . O /b a n n e r . h c m l? c s i I D = c s i i
c o p y U R L s In th is b ra n c h T P /1 .1
c o p y lin k s in th is b ra n c h
3c: ed ic io n .c n n .c o m
e r - A g e n c : H o z i l l a / 5 . 0 ( W i n d o w s NT 6 . 2 ; WOW64; c v : i 5 . 0 )
* ־LJ SH s a v e s e le c te d Ite m s cko/2 0 1 0 0 1 0 1 F i r e f o x / 1 5 .0 .1
A ccepc: c e x c / j a v a a c r lp c , c e x c/h cro l, a p p llc a C lo n /x m l, c e x c /x m l.
crack Webserver passwords Connections *" ־J~ 10 Timeout 1" j - r Use Proxy Define
Authentication Options
W Use Username Sngle User Pass Mode |Word List
http://www.hoobie.net
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
B ru tu s
O :כ ב
1 Source: h ttp ://w w w .h o o b ie .n e t
_ ם
Brutus - AET2 ־www.hoobie.net/brutus ( ־January 2000)
File J o o ls H elp
Authentication Options—
Use Username I- Single User Pass Mode f
User File users.txt Browse Pass File Browse
PositiveAuthentication Results
Target Type Username Password
10.0.0.17/ HTTP(BasicAuth) admin academic
10.0.0.17/ HTTP(BasicAuth) backup
M o d u le Flow CEH
Module Flow
The to o ls in te n d e d fo r m o n ito rin g and m anaging th e w e b se rve r can also be used by
a tta c k e rs fo r m a lic io u s purposes. In th is day and age, a tta cke rs are im p le m e n tin g va rio u s
m e th o d s to hack w e b servers. A tta c k e rs w ith m in im a l kn o w le d g e a b o u t hacking usually use
s fo r hacking w e b servers.
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
- y P a tch M a n a g e m e n t m— C o u n te r-m e a s u re s
m—
®
(J)m
m eetasplo
t it
fe V ModutM Tag* Q Atporto ־ T a li 0
w m
• U McmolWMoM
• MOkom**4 • Mm
• I Sm—d • MKnaPnw
• I 100M
• 2tC DCIW C
• I II M S K M t t
• )7 HETBOSS***(**
• n usn«׳us(Bvv^
• M U S A O P S ffw ctt
http://www.metasploit.com
C o p y rig h t © b y E G -G *ancil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d
The M e ta s p lo it fra m e w o rk m akes d isco ve rin g , e x p lo itin g , and sh a rin g v u ln e ra b ilitie s q u ick and
re la tiv e ly painless. It enable s users to id e n tify , assess, and e x p lo it v u ln e ra b le w e b a p p lica tio n s.
Using VPN p iv o tin g , yo u can run th e NeXpose v u ln e ra b ility scanner th ro u g h th e c o m p ro m is e d
w e b se rve r to d is c o v e r an e x p lo ita b le v u ln e ra b ility in a database th a t hosts c o n fid e n tia l
c u s to m e r data and e m p lo y e e in fo rm a tio n . Y our te a m m e m b e rs can th e n le ve ra g e th e d a ta
g a in e d to c o n d u c t social e n g in e e rin g in th e fo rm o f a ta rg e te d p h is h in g c a m p a ig n , o p e n in g up
n e w a tta c k v e c to rs on th e in te rn a l n e tw o rk , w h ic h are im m e d ia te ly visib le to th e e n tire te a m .
Finally, yo u g e n e ra te e x e c u tiv e and a u d it re p o rts based on th e c o rp o ra te te m p la te to ena b le
y o u r o rg a n iz a tio n to m itig a te th e atta cks and re m a in c o m p lia n t w ith Sarbanes O xley, HIPAA, o r
PCI DSS.
M e ta s p lo it e n a b le s y o u to :
u s e rs
t h a n o n e m i l l i o n u n i q u e d o w n l o a d s in t h e p a s t y e a r
0 T u n n e l a n y tra ffic th ro u g h c o m p ro m is e d ta rg e ts to p iv o t d e e p e r in to th e n e tw o r k
© C u s to m iz e th e c o n t e n t a n d t e m p la t e o f e x e c u tiv e , a u d it, a n d te c h n ic a l re p o r ts
( J m e ta s p lo it
l«MlpnO L S*M*o«W0 V Ctfnpognt T ag* O R e p o rt! ~ TmJ ״Q
• MHonNMnocm
• M D n c o w fM
• l ׳MM • 2 • Konca P m t t
• 1 *LOOM) • 2•^0ז!ף0וז״ffntwOOcO
• 1 • HP «*rC*O0*0
M o d u le 1 2 P a g e 1 6 5 6 E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y EC-C0UnCil
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
H acking W e b s e rv e rs
Rex
^ Framework-Base ^
: A k"
Interfaces Modules
K 7 ץ
mfsconsole Exploits
Security Tools
msfcli Payloads
Web Services
msfweb Encoders
Integration
msfwx NOPS
msfapi Auxiliary
Metasploit Architecture
The M e ta s p lo it fra m e w o rk is an o p e n -so u rce e x p lo ita tio n fra m e w o rk th a t is designed
to p ro v id e s e c u rity researchers and pen te s te rs w ith a u n ifo rm m o d e l fo r ra p id d e v e lo p m e n t o f
e x p lo its , payloads, e nco de rs, NOP g e n e ra to rs , and reconnaissance to o ls . The fra m e w o rk
p ro v id e s th e a b ility to reuse large chunks o f code th a t w o u ld o th e rw is e have to be co pied o r
re im p le m e n te d on a p e r-e x p lo it basis. The fr a m e w o r k w a s d e sig n e d to be as m o d u la r as
p o s s ib le in o rd e r to e n c o u ra g e th e reuse o f code across v a rio u s p ro je c ts . The fra m e w o rk its e lf
is b ro k e n d o w n in to a fe w d iffe r e n t pieces, th e m o s t lo w -le v e l being th e fra m e w o rk core. The
fra m e w o rk co re is re sp o n sib le fo r im p le m e n tin g all o f th e re q u ire d in te rfa c e s th a t a llo w fo r
in te ra c tin g w ith e x p lo it m o d u le s , sessions, and plugins. It s u p p o rts v u ln e ra b ility research,
e x p lo it d e v e lo p m e n t, and th e c re a tio n o f cu sto m s e c u rity to o ls.
A Libraries
ץ
Rex
C u s to m p lu g -in s < P r o t o c o l T o o ls
F ra m e w o rk-C o re
^ F ra m e w o rk -B a s e ^
:<־ <•:
In te rfa c e s M o d u le s
/ \
m fs c o n s o le E x p lo its
S e c u r it y T o o ls
m s fc li P a y lo a d s
W e b S e rv ic e s
m s fw e b E n co d e rs
In te g ra tio n
m s fw x NOPS
m s fa p i A u x ilia ry
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
This module comes with simplified meta-information fields
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
_
Selecting a Target
&
© V e rify in g th e E xp lo it O p tio n s
© S electing a T a rg et
© S electing th e Payload
© Launching th e E xplo it
9S C om m and P rom pt
m s f p a y lo a d ( 3 h e ll_ r e v e r s e _ tc p ) > g e n e ra te -h
U sage: g e n e ra te [o p tio n s ]
G e n e r a te s a p a y lo a d .
m sf p a y lo a d ( s h e l l r e v e r s e tcp ) >
; Com m and P ro m p t
m sf > u s e w in d o w s /s h e ll r e v e r s e tc p
m sf p a y lo a d ( s h e ll_ r e v e r s e _ tc p ) > g e n e ra te -h
U sag e: g e n e ra te [o p tio n s ]
G e n e ra te s a p a y lo a d .
O P T IO N S :
C om m and P ro m p t
as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g . T o ru n a u x ilia r y m o d u le , e it h e r u se t h e ru n
c o m m a n d o r use th e e x p lo it c o m m a n d .
T o g e n e r a t e a 5 0 b y t e N O P s le d t h a t is d is p la y e d a s a
Generates a NOP sled of a given length
C - s ty le b u f f e r , r u n t h e f o l l o w i n g c o m m a n d :
s le d o f a n a r b i t r a r y s iz e a n d d i s p l a y i n g i t in a g i v e n f o r m a t .
o p t io n s :
-h H e lp b a n n e r.
-t < o p t> T he o u tp u t ty p e : ru b y, p e r i, c, o r r a w .
G e n e r a te s a N O P s le d o f a g iv e n le n g th
com m and:
m sf n o p (o p ty 2 ) > g e n e ra te -t c 50
u n sig n e d c h a r b u f[] =
"\x f5 \x 3 d \x 0 5 \x l5 \x f8 \x 6 7 \x b a \x 7 d \x 0 8 \x d 6 \x 6
6 \x 9 f \x b 8 \x 2 d \x b 6 "
"\x 2 4 \x b e \x b l\x 3 f\x 4 3 \x ld \x 9 3 \x b 2 \x 3 7 \x 3 5 \x 8
4 \x d 5 \x l4 \x 4 0 \x b 4 "
"\x b 3 \x 4 1 \x b 9 \x 4 8 \x 0 4 \x 9 9 \x 4 6 \x a 9 \x b 0 \x b 7 \x 2
f\x fd \x 9 6 \x 4 a \x 9 8 "
"\x 9 2 \x b 5 \x d 4 \x 4 f\x 9 1 ";
m sf n o p (o p ty 2 ) >
w fe ic fi - w te tc n i
File Edit View Window Help
f l
http://www.microsoft.com
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
wfetch ־Wfetchl
£1le £d!t yiew Window Help
i) O £ &
Wfetchl SS■
A d v a n c e d R equest
ye»t> |G E T Host |k>ca»x>st j . j E o r t |d rfa » ״j - J V c r |1 1 2 \
Disabled ) {^־־־r
fomHe
P ath: | /
. \ jt h e r t c a t 10n C o n n e ctio n
G o' |
A uth l/V io n ym o o s C onnect h ttp ^ J 2 I
Tran s o --------
C om an | C ipher d e fa u l - ]
R? Raw
U se r | C k e n tc e rt none _>J
r S ocke t
P a js w d | r P ro jy tg p ro x y ^80 P R euse
L o g O u t p u t [L a s t S ta tu s : S00 In te r n a l S e rv e r E rro r]
► ־started....
O Proxy; WWWConnect::Close(” ,"80")\n
£ closed source port 7398\r\n
4 ) WWWConnect::ConnectClo<alhost".8<״r)\n
0 >= ]־::1[:80 \־n
Ready NUM
B r u t u s is a r e m o t e p a s s w o r d c r a c k e r ' s t o o l . I t is a v a i l a b l e f o r W i n d o w s 9 x , N T . a n d 2 0 0 0 , t h e r e
is n o U N I X v e r s i o n a v a i l a b l e , a l t h o u g h i t is a p o s s i b i l i t y a t s o m e p o i n t i n t h e f u t u r e . B r u t u s w a s
w r it t e n o rig in a lly t o h e lp c h e c k r o u te r s f o r d e fa u lt a n d c o m m o n p a s s w o rd s .
F e a tu re s
© H T T P (B a s ic A u t h e n t i c a t i o n )
e HTTP (H T M L F o rm /C G I)
e POP3
e FTP
e SMB
© T e ln e t
0 N o u s e r n a m e , s in g le u s e r n a m e , a n d m u lt ip le u s e r n a m e m o d e s
0 P a s s w o r d lis t, c o m b o ( u s e r / p a s s w o r d ) lis t a n d c o n f i g u r a b l e b r u t e f o r c e m o d e s
© User and passw ord list g e n e ra tio n and m a n ip u la tio n fu n c tio n a lity
Authentication Options
W Use Username I- Single Usei 0
Pass Mode |W »d List
User Fte ]users txt Browse | pjg [words bd Browse |
ר
■ A very fast network logon cracker that support many different services
B ' xHydra
Target Passwords Tuning Specific Start Target Passwords Tuning Specific Start
Target Output
Hydrav7.1 (c)2011 by vanHauser/THC& David Maciejak- for legal purposes J
® SingleTarget
Hydra (http://www.thc.org/thc hydra) startingat 2012-10-2117:01:09
[DEBUG] cmdline:/usr/bin/hydra-S -v-V-d-I Administrator-P/home/ •VDes
Q Target List [DATA] 4 tasks, 1server, 4 login tries (l:1/p:4), ~1 try per task
[DATA) attackingservice rdp on port 3389
C Prefer IPV6 [VERBOSE] Resolvingaddresses...
[DEBUG] resolving 192.168.168.1
done
Port [DEBUG] Code: attack Time: 13S0819069
[DEBUG] Options: mode 1 ssl 1 restore 0 showAttempt 1 tasks 4 maxjjse*
[DEBUG] Drains: active 0 targets 1 finished 0 todo_all4 todo4 seotO founc
Protocol rdp [DEBUG] TargetO-target 192.168.168.1 ip 192 168.168.1 login_nowpass_nc
[debug] Task 0*pld 0 active 0 redo 0 current_logln_ptr (null) current.pass.
Output Options [DEBUG] Task 1 pidO active 0 rcdoO currcnt_login_ptr (null) currentj>ass_
[DEBUGJ Task 2•pid 0 active 0 redo 0 current_login_ptr (null) current_pass_
[debug] Task 3־pld 0 active 0 redo 0 current_logln_ptr (null) current_pass_
& UseSSL [ BeVerbose [WARNING] rdp servers often don't like many connections, use-t 1or -t 4to r
[VERBOSE^ More tasks defined than login/pass pairs exist. Tasksreduced to
[DEBUG] head_no[0] active 0
[DEBUGJ child 0got target 0selected
0 ShowAttempts © Debug [DEBUG] headnofi] active 0
Start Stop !SaveOutput Clear Output
hydra-S-v-V d-IAdministrator-P/home/ /Desktop/pass 116192.16.. hydra -S v-V d -I Administrator -P/home/ Desktop/pass 116192.16...
http://www.thc.org
C o p y rig h t © b y EG-G (IIIICil. A ll R ights R eserved. R e p ro d u c tio n is S tric tly P ro h ib ite d .
O O ® xH ydra
192.168.168.1
O T arget List
□ P refer IPV6
P o rt
P ro to co l rdp
O utput O ptions
Use SSL
F ig u re 1 2 .2 8 : T H C -H y d ra S c r e e n s h o t
http;//www.rixlercom
M o d u le F lo w CE H
M o d u l e F l o w
So f a r , w e h a v e d i s c u s s e d w e b s e r v e r c o n c e p t s , t e c h n i q u e s u s e d b y a t t a c k e r s , a t t a c k
m e t h o d o l o g y , a n d t o o l s t h a t h e l p in w e b s e r v e r . A ll t h e s e c o n c e p t s h e l p in b r e a k i n g i n t o t h e
w e b s e r v e r o r c o m p r o m i s i n g w e b s e r v e r s e c u r i t y . N o w i t ' s t i m e t o d is c u s s t h e c o u n t e r m e a s u r e s
t h a t h e l p in e n h a n c i n g t h e s e c u r i t y o f w e b s e r v e r s . C o u n t e r m e a s u r e s a r e t h e p r a c t i c e o f u s i n g
m u ltip le s e c u rity s y s te m s or te c h n o lo g ie s to p re ve n t in tru s io n s . These a re th e key
c o m p o n e n ts fo r p ro te c tin g a n d s a fe g u a rd in g th e w e b s e rv e r a g a in s t w e b s e rv e r in tru s io n s .
1 W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y ^ W e b s e rv e r A tta c k T o o ls
■y P a tch M a n a g e m e n t —
■—► C o u n te r-m e a s u re s
■—
T h is s e c t i o n h i g h l i g h t s w e b s e r v e r c o u n t e r m e a s u r e s t h a t p r o t e c t w e b s e r v e r s a g a i n s t v a r i o u s
a tta c k s .
Scan fo r existing vulnerabilities, patch, Before applying any service pack, hotfix, or
and update the server softw a re security patch, read and peer review all
regularly relevant documentation
Apply all updates, regardless o f th e ir type Test the service packs and hotfixes on a
on an "as-needed" basis representative non-production environment
prior to being deployed to production
Ensure tha t service packs, hotfixes, and Ensure that server outages are scheduled
security patch levels are consistent on all and a complete set of backup tapes and
Dom ain C ontrollers (DCs) emergency repair disks are available
Have a back-out plan th a t allows the Schedule periodic service pack upgrades as
system and enterprise to return to th e ir part of operations maintenance and never
original state, p rio r to th e failed try to have more than tw o service packs
im ple m en tation behind
C o u n t e r m e a s u r e s : P a t c h e s a n d U p d a t e s
T h e f o llo w in g a re a f e w c o u n te r m e a s u r e s t h a t can be a d o p t e d t o p r o t e c t w e b s e rv e rs
a g a in s t v a rio u s h a c k in g te c h n iq u e s :
© B e f o r e a p p l y i n g a n y s e r v i c e p a c k , h o t f i x , o r s e c u r i t y p a t c h , r e a d a n d p e e r r e v i e w all
re le v a n t d o c u m e n ta tio n .
© E nsure t h a t s e rv e r o u ta g e s a re s c h e d u le d a n d a c o m p le te s e t o f b a c k u p ta p e s and
e m e r g e n c y r e p a i r d is k s a r e a v a i l a b l e .
© S c h e d u l e p e r i o d i c s e r v i c e p a c k u p g r a d e s as p a r t o f o p e r a t i o n s m a i n t e n a n c e a n d n e v e r
t r y t o h a v e m o r e th a n t w o s e rv ic e packs b e h in d .
C o u n te rm e a s u re s : P ro to co ls C EH
(•itifwd 1 ItlMUl IlMhM
Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and
unnecessary protocols such as NetBIOS and SMB
Harden th e TCP/IP stack and consistently apply th e latest softw a re patches and
updates to system softw a re
9 If using insecure protocols such as Telnet, POP3, SMTP, FTP, take appropriate measures to
provide secure authentication and communication, for example, by using IPSec policies
S If remote access is needed, make sure tha t the remote connection is secured properly,
by using tunneling and encryption protocols
C o u n t e r m e a s u r e s : P r o t o c o l s
Q H a r d e n t h e T C P /I P s t a c k a n d c o n s i s t e n t l y a p p l y t h e l a t e s t s o f t w a r e p a t c h e s a n d u p d a t e s
t o th e s y s te m s o ftw a re .
© If r e m o t e a c c e s s is n e e d e d , m a k e s u r e t h a t t h e r e m o t e c o n n e c t i o n is s e c u r e d p r o p e r l y ,
b y u s in g t u n n e lin g a n d e n c r y p t io n p r o to c o ls .
Q D is a b l e W e b D A V i f n o t u s e d b y t h e a p p l i c a t i o n o r k e e p s e c u r e i f i t is r e q u i r e d .
C o u n te rm e a s u re s : A cco u n ts CEH
Disable unused default user accounts created during installation of an operating system
When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to
the anonymous user being used from the IIS web server to access the web content
Eliminate unnecessary database users and stored procedures and follow the principle of least
privilege for the database application to defend against SQL query poisoning
Use secure web permissions, NTFS permissions, and .NET Framework access control
mechanisms including URL authorization
Slow down brute force and dictionary attacks w ith strong password policies, and then audit
and alert for logon failures
Run processes using least privileged accounts as well as least privileged service and user
accounts
— ! — 1— 1
C o u n t e r m e a s u r e s : A c c o u n t s
111------------------J i l T h e f o l l o w i n g is t h e lis t o f a c c o u n t c o u n t e r m e a s u r e s f o r h a c k i n g w e b s e r v e r s :
Q R e m o v e all u n u s e d m o d u l e s a n d a p p l i c a t i o n e x t e n s i o n s .
© D is a b l e u n u s e d d e f a u l t u s e r a c c o u n t s c r e a t e d d u r i n g i n s t a l l a t i o n o f a n o p e r a t i n g s y s t e m .
© W h e n c r e a t i n g a n e w w e b r o o t d i r e c t o r y , g r a n t t h e a p p r o p r i a t e ( l e a s t p o s s i b l e ) NTFS
p e r m i s s i o n s t o t h e a n o n y m o u s u s e r b e i n g u s e d f r o m t h e IIS w e b s e r v e r t o a c c e s s t h e
w e b c o n te n t.
Q E lim in a te u n n e c e s s a ry d a ta b a s e u sers a n d s to r e d p r o c e d u r e s a n d f o l l o w t h e p r in c ip le o f
l e a s t p r i v i l e g e f o r t h e d a t a b a s e a p p l i c a t i o n t o d e f e n d a g a i n s t SQL q u e r y p o i s o n i n g .
© U se s e c u r e w e b p e r m i s s i o n s , NTFS p e r m i s s i o n s , a n d .N E T F r a m e w o r k a c c e s s c o n t r o l
m e c h a n i s m s i n c l u d i n g URL a u t h o r i z a t i o n .
© S l o w d o w n b r u t e f o r c e a n d d i c t i o n a r y a t t a c k s w i t h s t r o n g p a s s w o r d p o l ic i e s , a n d t h e n
a u d it a n d a le r t f o r lo g o n fa ilu re s .
Q R u n p r o c e s s e s u s i n g l e a s t p r i v i l e g e d a c c o u n t s as w e l l as l e a s t p r i v i l e g e d s e r v i c e a n d u s e r
a c c o u n ts .
C o u n t e r m e a s u r e s : F i l e s a n d D i r e c t o r i e s
— T h e f o l l o w i n g is t h e lis t o f a c t i o n s t h a t s h o u l d b e t a k e n a g a i n s t f i l e s a n d d i r e c t o r i e s in
o r d e r t o p r o t e c t w e b s e rv e rs f r o m h a c k in g :
© A v o id m a p p in g v ir tu a l d ir e c to r ie s b e tw e e n t w o d if f e r e n t s e rv e rs o r o v e r a n e tw o r k .
© M o n i t o r a n d c h e c k all n e t w o r k s e r v i c e s lo g s , w e b s i t e a c c e s s lo g s , d a t a b a s e s e r v e r lo g s
(e .g ., M i c r o s o f t SQL S e r v e r , M y S Q L , O r a c le ) , a n d OS lo g s f r e q u e n t l y .
© D is a b l e s e r v i n g o f d i r e c t o r y lis t in g s .
© E l i m i n a t e t h e p r e s e n c e o f n o n - w e b f i l e s s u c h as a r c h i v e file s , b a c k u p fil e s , t e x t f i l e s , a n d
h e a d e r / in c l u d e file s .
© D is a b l e s e r v i n g c e r t a i n f i l e t y p e s b y c r e a t i n g a r e s o u r c e m a p p i n g
צ Audit the ports on server regularly to ensure that an insecure or unnecessary service
is not active on your web server
_ Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL)
£ Encrypt or restrict intranet traffic
s Ensure that certificate data ranges are valid and that certificates are used for their
intended purpose
S Ensure that the certificate has not been revoked and certificated public key is valid
all the way to a trusted root authority
ט Implement secure coding practices to avoid source code disclosure and input validation attack
ט Restrict code access security policy settings to ensure that code downloaded from the Internet
or Intranet have no permissions to execute
s Configure IIS to reject URLs with to prevent path traversal, lock down system commands
and utilities with restrictive access control lists (ACLs), and install new patches and updates
H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s
rr m n P o r ts
5L S e r v e r C e r tific a t e s
Q E n s u r e t h a t t h e c e r t i f i c a t e h a s n o t b e e n r e v o k e d a n d c e r t i f i c a t e ' s p u b l i c k e y is v a l i d all
th e w a y to a tr u s te d r o o t a u th o r ity .
M a c h in e .c o n f ig
6 Ensure t h a t tra c in g is disabled c tra c e e n a b le = " fa ls e " /> and d e bug com p ile s are tu rn e d
off.
C o d e A c c e s s S e c u r ity
© I m p le m e n t secure coding practices to avoid source code disclosure and in p u t v a lid a tio n
attack.
II S L o c k d o w n
- IIS Lockdow n in stalls th e URLScan ISAPI filte r a llo w in g w e b s ite a d m in is tra to rs to re s tric t th e kind o f
HTTP re q u e s ts th a t th e s e rv e r can p rocess, based o n a s e t o f ru le s th e a d m in is tra to r c o n tro ls ,
p re v e n tin g p o te n tia lly h a r m fu l re q u e s ts fro m re a c h in g th e s e rv e r a nd causing d am age
D isable th e T e ln e t se rvice
&
S w itch o f f all u nn e ce ssary se rvice s a nd d isa b le th e m , so th a t n e x t tim e w h e n th e s e rv e r is re b o o te d ,
th e y are n o t s ta rte d a u to m a tic a lly . This also gives an e xtra b o o s t to y o u r s e rv e r p e rfo rm a n c e s , by
fre e in g so m e h a rd w a re resources
H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )
' I I S L o c k d o w n
S e r v ic e s
Q Disable T e ln e t service.
H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )
© R e g is try
© S h a re
© IIS M e t a b a s e
© A u d it in g a n d L o g g in g
6 S c rip t M a p p in g s
0 Rem ove all unnecessary IIS script m appings fo r o p tio n a l file extensions t o avoid
e x p lo itin g any bugs in th e ISAPI e x tension s t h a t handle these ty pes o f file.
© S ite s a n d V ir t u a l D ir e c t o r ie s
© Relocate sites and v irtu a l d ire c to rie s t o n o n -sy ste m p a r titio n s and use IIS W e b
perm issions t o re s tric t access.
e IS A P I F ilte r s
D o use a d e d ic a te d
m a c h in e as a w e b
s e rv e r
U se s e rv e r s id e s e ssio n D o n o t a llo w a n y o n e t o
ID tra c k in g a n d m a tc h lo c a lly lo g o n t o th e
c o n n e c tio n s w it h tim e m a c h in e e x c e p t f o r
s ta m p s , IP a d d re sse s, e tc . th e a d m in is tr a to r
I f a d a ta b a s e se rve r, such Use security tools provided D o c o n fig u re a s e p a ra te Limit the server
/ as M ic r o s o f t SQL S e rv e r, is w ith web server software a no nym ou s user a ccou nt functionality in order to
and scanners that automate f o r e a ch a p p lic a tio n , if yo u support the web
1
t o b e u se d as a b a cke n d
d a ta b a s e , in s ta ll it o n a and make the process of h o s t m u ltip le w e b I technologies that are
s e p a ra te s e rv e r securing a web server easy a p p lic a tio n s L going to be used
H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )
1111
The f o llo w in g is a list o f actions t h a t can be ta k e n t o d e fe n d w e b servers f r o m various
kinds o f attacks:
© Use server-side session ID tra c k in g and m a tc h c o n n e c tio n w i t h tim e stam ps, IP address,
etc.
Q D o n o t c o n n e c t a n IIS S e r v e r t o t h e I n t e r n e t u n t i l i t is f u l l y h a r d e n e d .
© D o n o t a llo w a n y o n e t o lo c a lly lo g o n t o t h e m a c h in e e x c e p t f o r t h e a d m in is t r a t o r .
© L i m i t t h e s e r v e r f u n c t i o n a l i t y in o r d e r t o s u p p o r t t h e w e b t e c h n o l o g i e s t h a t a r e g o i n g t o
be used.
H o w to D e f e n d a g a in s t H T T P R e s p o n s e
S p lit t in g a n d W e b C a c h e P o is o n in g
EH
S e rv e r A d m in A p p lic a t io n D e v e lo p e rs P ro x y S e rv e rs
« Use latest web server 9 Restrict web application » Avoid sharing incoming TCP
software access to unique Ips connections among different
clients
« Regularly update/patch « Disallow carriage return
OS and Webserver (%0d or \r) and line feed a Use different TCP connections
(%0a or \n) characters with the proxy for different
© Run web Vulnerability virtual hosts
Scanner » Comply to RFC 2616
specifications for HTTP/1.1 8 Implement "maintain request
host header" correctly
H o w t o D e f e n d a g a i n s t H T T P R e s p o n s e S p l i t t i n g a n d
W e b C a c h e P o i s o n i n g
T h e f o l l o w i n g a r e t h e m e a s u r e s t h a t s h o u l d b e t a k e n in o r d e r t o d e f e n d a g a i n s t H T T P r e s p o n s e
s p littin g a n d w e b c a c h e p o is o n in g :
e S e rv e r A d m in
© U se la te s t w e b s e rv e r s o ftw a r e
© R e g u la rly u p d a t e / p a t c h OS a n d w e b s e rv e r
© Run w e b v u ln e ra b ility s c a n n e r
© A p p lic a tio n D e v e lo p e rs
© R e s t r i c t w e b a p p l i c a t i o n a c c e s s t o u n i q u e IP S
© D is a llo w c a rr ia g e r e t u r n (% 0 d o r \ r ) a n d lin e fe e d (% 0 a o r \ n ) c h a r a c te r s
© C o m p l y t o RFC 2 6 1 6 s p e c i f i c a t i o n s f o r H T T P / 1 . 1
© P ro x y S e rve rs
M o d u le F lo w CEH
M o d u l e F l o w
D e v e l o p e r s a l w a y s t r y t o f i n d t h e b u g s in t h e w e b s e r v e r a n d t r y t o f i x t h e m . T h e b u g
v u l n e r a b i l i t i e s . P a t c h m a n a g e m e n t is a p r o c e s s u s e d t o e n s u r e t h a t t h e a p p r o p r i a t e p a t c h e s a r e
1 We b s e r v e r C o n c e p t s W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y W e b s e r v e r A t t a c k T o o ls
« \
W e b s e r v e r P en T e s tin g i ) W e b s e r v e r S e c u rity T o o ls
P a tch M a n a g e m e n t C o u n te r-m e a s u re s
■—
■—
w e b s e r v e r s in o r d e r t o p r o t e c t t h e m f r o m a tta c k s .
P a tc h e s a n d H o tfix e s C EH
Urtiffetf itkNjI lUilwt
Hotfixes are an update to fix a Users may be notified Hotfixes are sometimes
specific customer issue and through emails or through packaged as a set of fixes
not always distributed outside the vendor's website called a combined hotfix
the customer organization or service pack
P a t c h e s a n d H o t f i x e s
A p a t c h is a p r o g r a m used to m a k e c h a n g e s in t h e s o f t w a r e in s ta lle d o n a c o m p u te r .
im p ro v e th e u s a b ility o r p e r fo r m a n c e o f a c o m p u te r p ro g ra m o r its s u p p o r t i n g d a ta . A p a tc h
ca n b e c o n s id e re d a re p a ir jo b to a p r o g r a m m in g p ro b le m .
A h o t f i x is a p a c k a g e t h a t i n c l u d e s v a r i o u s f i l e s u s e d s p e c i f i c a l l y t o a d d r e s s v a r i o u s p r o b l e m s o f
s o f t w a r e . H o t f i x e s a r e u s e d t o f i x b u g s in a p r o d u c t . U s e r s a r e u p d a t e d a b o u t t h e l a t e s t h o t f i x e s
a re s o m e t im e s p a c k a g e d as a s e t o f fix e s c a lle d a c o m b in e d h o t f ix o r s e rv ic e p a c k .
W h a t Is P a tc h M a n a g e m e n t? CEH
An a u to m a te d patch m a n a g e m e n t process:
Maintain: Subscribe to
Detect: Use tools to
get notifications about
detect missing
vulnerabilities as they are
security patches
reported
W h a t I s P a t c h M a n a g e m e n t ?
© C h o o s in g , v e r ify in g , te s tin g , a n d a p p ly in g p a tc h e s
© U p d a tin g p r e v io u s ly a p p lie d p a tc h e s w it h c u r r e n t p a tc h e s
© L istin g p a tc h e s a p p lie d p r e v io u s ly t o t h e c u r r e n t s o f t w a r e
© A s s ig n in g a n d d e p lo y in g th e a p p lie d p a tc h e s
1. D e te c t: It is v e r y i m p o r t a n t t o a lw a y s d e te c t m is s in g s e c u rity p a tc h e s th r o u g h p roper
d e t e c t i n g t o o l s . If t h e r e is a n y d e l a y in t h e d e t e c t i o n p r o c e s s , c h a n c e s o f m a l i c i o u s a t t a c k s
a re v e r y h ig h .
2. Assess: O n c e t h e d e t e c t i o n p r o c e s s is f i n i s h e d i t is a l w a y s b e t t e r t o a s s e s s v a r i o u s i s s u e s
a n d t h e a s s o c ia te d fa c to rs re la te d to th e m a n d b e tt e r t o im p le m e n t th o s e s tra te g ie s w h e r e
is s u e s c a n b e d r a s t i c a l l y r e d u c e d o r e l i m i n a t e d .
3. A c q u i r e : T h e s u i t a b l e p a t c h r e q u i r e d t o f i x t h e is s u e s h a s t o b e d o w n l o a d e d .
4. T e s t : It is a l w a y s s u g g e s t e d t o f i r s t i n s t a l l t h e r e q u i r e d p a t c h o n t o t h e t e s t i n g s y s t e m r a t h e r
th a n th e m a in s y s te m as t h i s p r o v i d e s a c h a n c e t o v e r i f y t h e v a r i o u s c o n s e q u e n c e s o f
u p d a tin g .
5. D e p l o y : P a t c h e s a r e t o b e d e p l o y e d i n t o t h e s y s t e m s w i t h u t m o s t =, so n o a p p l i c a t i o n o f
t h e s y s t e m is a f f e c t e d .
6. M a in ta in : It is a l w a y s u s e f u l t o s u b s c r i b e t o g e t n o t i f i c a t i o n s a b o u t v a r i o u s p o s s i b l e
v u l n e r a b i l i t i e s as t h e y a r e r e p o r t e d .
I d e n t i f y i n g A p p r o p r i a t e S o u r c e s f o r
U p d a t e s a n d P a t c h e s
CEH
First make a patch management plan that fits the operational environment and
business objectives
I d e n t i f y i n g A p p r o p r i a t e S o u r c e s f o r U p d a t e s a n d
- i'l
'-s P a t c h e s
It is v e r y i m p o r t a n t t o i d e n t i f y t h e a p p r o p r i a t e s o u r c e f o r u p d a t e s a n d p a t c h e s . Y o u s h o u l d t a k e
care o f th e fo llo w in g th in g s re la te d to p a tc h m a n a g e m e n t.
© F in d a p p r o p r i a t e u p d a t e s a n d p a t c h e s o n t h e h o m e s i t e s o f t h e a p p l i c a t i o n s o r o p e r a t i n g
s y s te m s ' v e n d o rs .
© T h e r e c o m m e n d e d w a y o f t r a c k i n g is s u e s r e l e v a n t t o p r o a c t i v e p a t c h i n g is t o r e g i s t e r t o
th e h o m e site s t o re c e iv e a le rts .
0 9
J U sers can access an d install security p atch e s via th e
~ W orld W ide W eb
0 0
P a t c h e s c a n b e i n s t a l l e d in t w o w a y s
M a n u a l In s ta lla tio n
I n s t a l l a t i o n o f a P a t c h
Y ou s h o u ld s e a rc h f o r a s u ita b le p a tc h a n d in s ta ll it f r o m I n t e r n e t . P a tc h e s can be
i n s t a l l e d in t w o w a y s :
M a n u a l In s ta lla tio n
In t h e m a n u a l i n s t a l l a t i o n p r o c e s s , t h e u s e r d o w n l o a d s t h e s u i t a b l e p a t c h f r o m t h e v e n d o r a n d
f i x e s it.
In a u t o m a t i c i n s t a l l a t i o n , t h e a p p l i c a t i o n s , w i t h t h e h e l p o f t h e a u t o u p d a t e f e a t u r e , w i l l g e t
u p d a te d a u to m a tic a lly .
I m p l e m e n t a t i o n a n d V e r i f i c a t i o n o f a
S e c u r i t y P a t c h o r U p g r a d e
" 1 I m p l e m e n t a t i o n a n d V e r i f i c a t i o n o f a S e c u r i t y P a t c h
o r U p g r a d e
Y o u s h o u ld b e a w a re o f a f e w th in g s b e fo r e im p le m e n t in g a p a tc h . T h e fo llo w in g th in g s s h o u ld
b e k e p t in m i n d :
p a tc h e s .
0 T h e p a tc h m a n a g e m e n t te a m s h o u ld c h e c k f o r u p d a te s a n d p a tc h e s re g u la rly . A p a tc h
m a n a g e m e n t to o l m u s t b e a b le t o m o n it o r t h e p a tc h e d s y s te m s .
P a t c h M a n a g e m e n t T o o l: M i c r o s o f t
B a s e l i n e S e c u r i t y A n a l y z e r ( M B S A )
J Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft . ־ ־׳
Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server t
J It also scans a computer for insecure configuration settings
(onHMtfnumr V'״ORXGRCXJ3\WJN«S£B.Q<'K‘>l
IP Address: 1*9.254.103.138
S« «״T report ,*CRKGROUP■WN-MSSQlCMMI (10-12*2012 10-28 AM)
van darr 10/12/2012 10:28 AM
S u n td nfth H8SA version: 2.2.2170.0
v a r t y «pA>rr catalog:
Sett Ooo V
P a t c h M a n a g e m e n t T o o l : M i c r o s o f t B a s e l i n e S e c u r i t y
* S ^ A n a l y z e r ( M B S A )
S ource: h t t p : / / w w w . m ic r o s o f t . c o m
T h e M i c r o s o f t B a s e li n e S e c u r i t y A n a l y z e r ( M B S A ) a l l o w s y o u t o i d e n t i f y m i s s i n g s e c u r i t y u p d a t e s
a n d c o m m o n s e c u r i t y m i s c o n f i g u r a t i o n s . It is a t o o l d e s i g n e d f o r t h e IT p r o f e s s i o n a l t h a t h e l p s
s m a ll- and m e d iu m -s iz e d b u s in e s s e s d e te rm in e th e ir s e c u rity sta te in a cco rd a n ce w ith
M ic r o s o f t s e c u rity r e c o m m e n d a tio n s a n d o ffe r s s p e c ific r e m e d ia t io n g u id a n c e . Im p r o v e y o u r
s e c u r ity m a n a g e m e n t p ro c e s s b y u s in g M B S A t o d e t e c t c o m m o n s e c u r ity m is c o n f ig u r a t io n s a n d
m is s in g s e c u r ity u p d a te s o n y o u r c o m p u t e r s y s te m s .
P a tc h M a n a g e m e n t Tools C EH
(•itifwd 1 tfeMJl Nm Im
Altiris Client M an ag em en t
Prism Patch M anager
Suite http://www.newboundary.com
2 - S http://www.symantec.com
P a t c h M a n a g e m e n t T o o ls
m a n a g e m e n t to o ls fo llo w s :
© GFI L A N g u a r d a v a ila b le a t h t t p : / / w w w . g f i . c o m
© K a se ya S e c u rity P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . k a s e y a . c o m
© Z E N w o rk s ® P a tc h M a n a g e m e n t a v a ila b le a t h t t p : / / w w w . n o v e ll. c o m
© S e c u r it y M a n a g e r P lu s a v a ila b le a t h t t p : / / w w w . m a n a g e e n g i n e . c o m
© P ris m P a tc h M a n a g e r a v a ila b le a t h t t p : / / w w w . n e w b o u n d a r y . c o m
© M a a S 3 6 0 ® P a tc h A n a ly z e r T o o l a v a ila b le a t h t t p : / / w w w . m a a s 3 6 0 . c o m
© S e c u n i a CSI a v a i l a b l e a t h t t p : / / s e c u n i a . c o m
© L u m e n s io n ® P a tc h a n d R e m e d ia tio n a v a ila b le a t h t t p : / / w w w . l u m e n s io n . c o m
© V M w a r e v C e n te r P ro te c t a v a ila b le a t h t t p : / / w w w . v m w a r e . c o m
M o d u le F lo w CEH
M o d u l e F l o w
W eb s e rv e rs s h o u ld a lw a y s b e s e c u re d in t h e n e tw o rk e d c o m p u tin g e n v iro n m e n t to
th e h e lp o f w e b s e rv e r s e c u rity to o ls .
W e b s e r v e r C o n c e p ts W e b s e rv e r A tta c k s
a
A tta c k M e th o d o lo g y W e b s e r v e r A t t a c k T o o ls
׳N ©
r W e b s e rv e r Pen T e s tin g W e b s e r v e r S e c u rity T o o ls
O
P a tch M a n a g e m e n t C o u n te r-m e a s u re s
■—
׳ ׳ » ׳ ■—
T h is s e c t io n lis ts a n d d e s c r ib e s v a r i o u s w e b s e r v e r s e c u r i t y t o o ls .
W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : S y h u n t D y n a m i c
F e a tu re s :
S u p p o rts a n y w e b s e rv e r p la tfo rm .
AS P, A S P .N E T , a n d PHP.
n u m b e r o f t h r e a d s ca n b e a d ju s te d .
URL o r a s e t o f URLs p ro v id e d b y th e u se r.
w i d e r a n g e o f a t t a c k s / s e n d i n g t h o u s a n d s o f r e q u e s t s ( m o s t l y GE T a n d POST). T e s ts f o r
SQL I n j e c t i o n , XSS, File I n c l u s i o n , a n d m a n y o t h e r w e b a p p l i c a t i o n v u l n e r a b i l i t y c la ss e s.
© L o c a l o r R e m o t e S t o r a g e ־S ca n r e s u l t s a r e s a v e d l o c a l l y ( o n t h e d is k ) o r r e m o t e l y (in t h e
S a n d c a t w e b s e r v e r ) . R e s u lt s c a n b e c o n v e r t e d a t a n y t i m e t o H T M L o r m u l t i p l e o t h e r
a v a ila b le fo r m a ts .
© In a d d i t i o n t o its G U I ( G r a p h i c a l U s e r I n t e r f a c e ) f u n c t i o n a l i t i e s , S y h u n t o f f e r s a n e a s y t o
use c o m m a n d - lin e in te rfa c e .
O ■ J)•
HKh R«WJ■ 1
j <0י«י*צ com 80
B j Ho*> Mamahon
M(m*t
••
9 3 J$4«MdP*9«
£ jQ Souk• StudiM
a ; **m m M • Souc*
a (a URL1
B WabSfeucM•
(tel • d •on
♦ 14 « •ץp*>
. 111 « «* ץm(1le php
9 j•! R_b*taC php
t. H_b«t*C_ptuS1WV
. ^ >Jot*pN>
O », •—**ion
• « ןn d n hid dm php
*riefcgence
W e b A p p lic a t io n S e c u r ity S c a n n e r:
N - S ta lk e r W e b A p p lic a t io n S e c u r ity S c a n n e r
EH
N-Stalker is a W ebA pp Security S can n er to search for vulnerabilities such as SQL injection,
XSS, and known attacks A
W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : N - S t a l k e r W e b
A p p l i c a t i o n S e c u r i t y S c a n n e r
S ource: h t t p :/ / w w w .n s t a lk e r . c o m
N - S t a l k e r W e b A p p l i c a t i o n S e c u r i t y S c a n n e r is a w e b s e c u r i t y a s s e s s m e n t s o l u t i o n f o r y o u r w e b
a p p l i c a t i o n s . It is a s e c u r i t y a s s e s s m e n t t o o l t h a t i n c o r p o r a t e s N - s t e a l t h H T T P s e c u r i t y s c a n n e r .
It s e a r c h e s f o r v u l n e r a b i l i t i e s such as SQL i n j e c t i o n , XSS, a n d known a tta c ks . It h e l p s in
m a n a g i n g t h e w e b s e r v e r a n d w e b a p p l i c a t i o n s e c u r i t y . T h is s e c u r i t y t o o l is u s e d b y d e v e l o p e r s ,
s y s t e m / s e c u r i t y a d m i n i s t r a t o r s , IT a u d i t o r s , a n d s t a f f .
“ ב ״ כ <« י » לIJ t
I 6 * 5• ״, ■ ״ ״ * ״ י ״
| Thra^a CofUfW , r iM ^ N ih a Control 1
Scann er I v m t t
o Vu*eraM««*
Q hBp J« v a * C*«1V<
| App*c«ton ««gn
8 | O H v tfM n tt*
B# nap<rw«nnr
■ UCfOM
8 I W«ftMrv«r*•
0#/
■ x.P * • 0
3 | «•
0#
9 | Wat Foma**
•
■ $ *rv a r< B
Htgh(•!
J
Mm1(9> lo w 7) M o (t )
0 #׳ mtmmk______
L • Hm W
ffl + /•*cxhtitf By<aa$*nc 1102 121
I 903 970
0 | »MCvr«W a6A Avg Rm oo ^m Tmt K IM m i
ffl + I A .g T ,ar*»»f B jf* 9 91 S M B *
198 00 r#9 »nan
W e b S e r v e r S e c u r i t y S c a n n e r : W i k t o
S ource: h tt p :/ /w w w .s e n s e p o s t .c o m
W i k t o is f o r W i n d o w s , w i t h a c o u p l e o f e x t r a f e a t u r e s i n c l u d i n g f u z z y lo g ic e r r o r c o d e c h e c k i n g ,
a backend m in e r, G o o g le -a s s is te d d ire c to ry m in in g , a n d re a l-tim e HTTP r e q u e s t /r e s p o n s e
m o n i t o r i n g . W i k t o is c o d e d i n C # a n d r e q u i r e s t h e .N E T f r a m e w o r k .
W i k t o m a y n o t t e s t f o r SQL i n j e c t i o n s , b u t i t is s ti l l a n e s s e n t i a l t o o l f o r p e n e t r a t i o n t e s t e r s w h o
a r e l o o k i n g f o r v u l n e r a b i l i t i e s in t h e i r I n t e r n e t - f a c i n g w e b s e r v e r s .
W e b S e r v e r S e c u r i t y S c a n n e r :
A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r
CEH
Urt1fw4 ilhiul lUthM
■ Acunetix WVS checks web applications for SQL injections, cross-site scripting, etc.
■ It includes advanced penetration testing tools to ease manual security audit processes, and
also creates professional security audit and regulatory compliance reports
10.13 >0:0VV., [Warning] Samng onty tor XV* (er w u tr vnphn^) vulirrabAhrt
W e b S e r v e r S e c u r i t y S c a n n e r : A c u n e t i x W e b
B V u l n e r a b i l i t y S c a n n e r
A c u n e tix W eb V u ln e ra b ility Scanner checks web a p p lic a tio n s fo r SQL in je c tio n s , c ro s s -s ite
s c r ip tin g , e tc . It in c lu d e s a d v a n c e d p e n e t r a t i o n t e s t i n g t o o l s t o e a s e t h e m a n u a l s e c u r it y a u d i t
p ro c e s s e s , a n d a ls o c r e a te s p r o f e s s io n a l s e c u r it y a u d it a n d r e g u la t o r y c o m p li a n c e r e p o r t s .
NcwScjn . Jl ^ J צB | g ** |a A | a I® I *
Tod■
Q ld f » A 'S. ft Report / StvtURi: n t t p : / / » r t m c o m : * ) / - Profile: [> - JSU rt
@ Art) yjneraMty Scanner
1*_ יWeb Scanner
Scan R ew h SWut A. Akrtt Mjmmjty
a & Tools li
J ; Ste Crawler jb HHbdrti A o < u n (l« threat level A<unrt1x Threat Level 0
Target FrxJcr V*Knowledge0m« Level 0: Safe
!« have been ik K v n in l 1ך
^ Subdoman Scanner B { j) Site Structure
.J Bind SQL In)ector ־I©/ <
{ 3 HTTPEdtor ♦ (jQ about_me
HTTP Snrffer ♦ artwork
• * HTTPFuwer
♦ 10 download!
$ Authenocatwn Tester Total *lefts found
B L© * “
B Compare Resdts
3 H & Web Services
,Q a r tan <al-mages M*tFard o Medium
af£ Web Services Scanner S (jQ htrrtSmeda N«F0iX1d
J S Web Services Edtor stacks_page_page0 .css NK Found O low
0 Informational
“ S Config^aBon stacks_page_page0 .js Mu Foind
> Appfca&on Settings ♦ uQ games
J Scan Settings ♦ (,Q karma 1 Target information Mtp:/Awvvv.juggytoy.com:80/ *
Sr w n g B fo S w ♦ 1^ Ifcstyte
3 & General Statistics 381 requests
a t© mytotog
Program Updates
- ו ז זVer»on Information ♦ (jQ quesfconjhe.nJes Progress Scan is finished 00ו.oos $
.-* i f t m common.
4 |j Support Center
4i Purchase
4>j User Manual (htmf) 10.12 2005.55, [Warning] Scanmno onty lor XSS (a
4 ] User Manual (pdf)
• AajSeraor
W e b S e r v e r M a l w a r e I n f e c t i o n
M o n i t o r i n g T o o l: H a c k A l e r t
CEH
H a c k A le rt
HackAlert™ is a cloud-based service
that identifies hidden zero-day
malware and drive-by downloads in
websites and online advertisements CK*>90 [n te f Dj»* n l 5«tKl M l aom un ־AdMsfiews mas A vriw *1
h ttp : //w w w .a r m o r iz e .c o m
W e b S e r v e r M a l w a r e I n f e c t i o n M o n i t o r i n g T o o l:
H a c k A l e r t
H a c k A le r t km י ד י ״ ׳
Uf« UrOmmMWai A*
7 D*r• P«Pck1
]j ; מ ז0 * 03
Jl “ ״־I
•1
r*M H #)
04 M m )
T«C4 S 4 m r«1f«1m f d 1$}
*<1MI^Mt 6
AV
T0MSc4nt
___ע1*—J
\
•ג 2• 10 <1 01 02
W e b S e r v e r M a lw a r e I n f e c t io n M o n it o r in g
T o o l: Q u a ly s G u a r d M a lw a r e D e te c tio n
C EH
toftNM tfeMjl NM
hM
QualysGuard® Malware Detection Service scans websites for malware infections and threats
if
l \ .
Step 5 of 5 Reiiew and ccnfim you setirgs o ין^»כ0» ׳St-* 1*
Tag•
Dashboard Scans Rtp«Xi Assets K/x>v*cdg«Oase
4 S<h*d*li*g </
AMgntd 1«-־n
0 H«v«m and CoWitm
Scan Options
Ptg«
200
ion Intone■(?
Nmtm
Ku l—»W. I..V 1mm,
)« • .( fw t '
Crawl •xaution list*
h t t p : / / w w w . q u a ly s . conr
W e b S e r v e r M a l w a r e I n f e c t i o n M o n i t o r i n g T o o l:
Q u a l y s G u a r d M a l w a r e D e t e c t i o n
S ource: h t t p : / /w w w . q u a ly s .c o m
SitiURL
3 C raw l e x clu s io n lists ✓ h ttp:// w w w .jugo vb oy .co m
S c h e d u lin g ✓ Tags
Aiagncd tags
0 R e v ie w an d Confirm
Scan Options
Maxnxjm Pages
?00
Wtur* I ! • fR«rk1iar F
1 3 = ■
© QtalysGuard Portal
Q la Quaiys.inc[US] 1
hrtps:;/portal.qualy£com/po al-trcnt/mocule/maiware/*ta =scans.scan-H stofy 0 1 £ =
0UALYSGUARD*
MDS Help Rini Matthews v■׳ 1
L >g Oul
Dashboard Scans Reports Assets KnowledgeBase 30 cays remanng in yourtnai. ipgraoe now
Own Site
1 - 20 of 31 0 & 0 v■
Page URL Page Name High Med Low Info Status Seventy
F ] hrtpy/www.juggytoy.com'indexhtml 0 0 0 0 Canceled -
0 hctpy/Aww.jjcgyboy.com<5ueston_:he_rules'׳inCexl־tm 0 0 0 0 Canceled -
0 http://www.juggyboy.corrVKama/ndex.T.ml 0 D 0 0 Canceled -
JH L f R e t׳na c s
http://www.beyondtrust.com
HP W eb ln sp ect d o tD e fe n d e r
La\ https://download.hpsmartupdate.com http://www.applicure.com
W e b s e r v e r S e c u r i t y T o o ls
c W e b s e r v e r S e c u r it y t o o ls s c a n la rg e , c o m p le x w e b s it e s a n d w e b a p p lic a t io n s t o ta c k le
to o ls in c lu d e :
© R e t i n a CS a v a i l a b l e a t h t t p : / / w w w . b e y o n d t r u s t . c o m
© N s c a n a v a ila b le a t h t t p :/ / n s c a n . h y p e r m a r t . n e t
© S A IN T S c a n n e r a v a ila b le a t h t t p : / / w w w . s a in t c o r p o r a t io n . c o m
© HP W e b ln s p e c t a v a ila b le a t h t t p s :/ / d o w n lo a d .h p s m a r t u p d a t e . c o m
© A r ir a n g a v a ila b le a t h t t p : / / m o n k e y . o r g
© W e b C r u is e r a v a ila b le a t h t t p :/ / s e c 4 a p p .c o m
© d o t D e fe n d e r a v a ila b le a t h t t p : / / w w w . a p p lic u r e . c o m
M o d u le F lo w CEH
M o d u l e F l o w
T h e w h o le id e a b e h in d e t h i c a l h a c k i n g is t o hack yo u r o w n n e tw o rk o r s y s te m in a n
d e t e r m i n e t h e v u l n e r a b i l i t i e s o n t h e w e b s e r v e r . Y o u s h o u l d a p p l y a ll t h e h a c k i n g t e c h n i q u e s f o r
h a c k in g w e b s e rv e r s . T h is s e c t io n d e s c r ib e s w e b s e r v e r p e n t e s t in g t o o ls a n d t h e s te p s in v o lv e d
in w e b s e r v e r p e n t e s t i n g .
R L )
W e b s e rv e r C o n c e p ts W e b s e rv e r A tta c k s
A tta c k M e th o d o lo g y * W e b s e r v e r A t t a c k T o o ls
■1j P a tc h M a n a g e m e n t ■_ C o u n te r-m e a s u re s
■—
0 N e tw o r k S yste m s
e E n d p o in t system s
e W ire le s s N e tw o rk s
a N e tw o r k D e vices
e M o b ile D e vices
« IPS/IDS a n d o th e r d e fe n s e s
W e b S e r v e r P e n T e s t i n g T o o l : C O R E I m p a c t ® P r o
4
S ource: h tt p :/ / w w w . c o r e s e c u r it v . c o m
CORE I m p a c t ® P r o h e l p s y o u in p e n e t r a t i n g w e b s e r v e r s t o f i n d v u l n e r a b i l i t i e s / w e a k n e s s e s in
t h e w e b s e r v e r . By s a f e l y e x p l o i t i n g v u l n e r a b i l i t i e s in y o u r n e t w o r k i n f r a s t r u c t u r e , t h i s t o o l
id e n tifie s r e a l, t a n g i b l e ris k s t o in fo rm a tio n a s s e ts w h i l e te s tin g th e e ffe c tiv e n e s s o f y o u r
e x i s t i n g s e c u r i t y i n v e s t m e n t s . T h is t o o l is a b l e t o p e r f o r m t h e f o l l o w i n g :
© I d e n t i f y w e a k n e s s e s in w e b a p p l i c a t i o n s , w e b s e r v e r s , a n d a s s o c i a t e d d a t a b a s e s
I. ' ■ I
N-״w SUt*J rh*h«l su |Sm |R״
ti
|Nt1»... a (74{20...
a /w o . Sto ^oc. IvD
l_)L0al
*01 l.bodm 00MPATH rvplat ^ H r iS 3/2*120...
8/24^0. Phi.. 1iot. )«
y *CKriuwjt L1>.J Buffo Ovarflov! PrMtoe EsuriaUw ExvMi H|S*1•/־. *MX... 8/24/20. Fhl.. 40c. l«
_r:j *01 fin choc Local PrMfege Escalation E*ptat 8/24/20... 8/24/20. Phi.. ho
1^1 *0( ipdateJlMh PATHceaoe tw b t :gCradt... 8/24/20... 8/24/20. Fhl.. t«
JjJ *nti Keylogger Elte Pnttfcge EscalabonExpert jjtnstal... 8/2^20... 8/24/20. FW.. l«10
y *ade Mac os x Hlb Local pnvleoe Ef *׳,* ״״יי6'*'״״׳ ^ « e B ... 8/2^20... 8/24/20. FHI.. l«
g *u«at Artima ASAMON.SYSPlh-lege £•
im P H C ־ '*etw... 8/2^ 20... 8/ 21/20. 510.. no
& Bbe Coat K9Web■Protection Referer Priv *letw... 8/24/20... 8/24/20. Fhi.. hia
cachefsdQuffti O w rui o p bt 3 [
CDRTods R5Hlocal exploit &
־4־ P R O F E S S I O N A L
3rwl... 9/24/20... 6/24/30. Fhi.. (Jo
CSRSSfacenane ■exf^oit 3 Set8/24/20 ...8/24/20 ... ״. Fhi..
CctyNo |
2sJ EbyCOIO Cnvcr Pnvleo; Escalation E This produci is lc«nsed 10
ESETSmart Searity BPFW.SfS Privlegs I 3 $y«emlrfo |
EC-Council Haja Motadeen
Exin Alwrote ConfiQiraton Prwle^e E3 1^!>
sf«5SD Dynamic Lrka Privies Esi 3 ־1 ־ti
IgJ PfeeQSOKernel Protosw Prr.-tegebsrdat Distribution k«y
S1 3 !»־3SCkOmet Lacal Privilege Escalation
PreeflSD mbufs asrdfile Ca<hePoso ^ ^ ״
FreeBSDmcxnt Locd Prlvleoe Escaiatton
gj PreeQSCpseudo^a NUU Ponter Qerefere[ Period
FreeBSDTebetd Serve* Prlvleoe Eacalati From : Tuesdav. December 28. 2010
*> QNUGibe ti.50 ORIGIN Prrvlege £sca 3 To ־Thursday June 30, 2011
GNUId.so*fcitrary Dlopsn Prtvtege Esca
rtPLnj* Imagnq .ard Prnbng local ex^n 3
Ggl BM DrectOf CiM Sever PtN־teoee9C3l3fl
| IS SSPjo-.er-Sde [ndude exok*i[
Igl netd confPrh־leoeE9ral31»nEwte׳t I Version 11.0.46 66 coongni • 2002010 וcore siuntv r«chn0109nt 0 t־ 3 , ״. , . ,
ID.PRELOADbuffe «v«Ibw 3 --------------------------
jjJ unioc kernel doJjrkO expbt
Linux Kernel Ext4 Mos-eExtents ICCTL Prlvlege EscjMot Explait 3 ( ]g N etw o rk A ttack a n d P e n etr a tio n
unux kernel rrremoo-urmap exploit
Linux Kernel RD5 PtoUkoI P1l«-leoeEfic4l<tnn Ewb't
זל1 .׳.■-v * . w i q » r * 1vvaP ׳MV<׳״r v«l«w t»nw< THs •01.1« •־itom«Cc4lv s«iects «xl l*j׳xhs atUdv.
WT/KHvierk RPT
J -■K: icartY icrngoac:
77879
TTfc •o).k *־׳w veu AJtonuQulv selectandliuxhr• It «(U.li tMMJ 0r
r FUrr modiies by target scfvcuOv acqurvdinfct mston The Attach « 1dPprpbabortMrp utiixri
r SiswmacU«»vUo׳j t U « ׳. yevtxriy aeittrtO י׳«זגיזו«ו*י׳וabout the network (to ׳nitanoc, bynnnn; 1t*>
!nfanubon S«tf*rrg ttap) to *utotnaQuly *elect «1dI*u1d1•׳nut■ jtU Ji
rjIWT fBMOdJw
fa w J 1 Uioethost tfis razord leajies tie folowiw nfo׳ntt00n fol fib
c*r fuw |
W e b S e r v e r P e n T e s t i n g T o o l : I m m u n i t y C A N V A S
t e s t e r t o d i s c o v e r a ll p o s s ib le s e c u r i t y v u l n e r a b i l i t i e s o n t h e w e b s e r v e r .
♦ O 55 Cur»#r*
V j i ! MOV Slop Fiploc OS Cor#g Calfcack
Mod«ies S ti'th
DicHpUBn
l»s*r 0«An*d
N«v» Monthly I
CAWAS t>p׳c
Post E ipM Control
Commands fa*
Nodas
>D9S D«n<al of Sarvce Modules
>'coi MscTooa
> fWcon Recon ,fools
OWAS 5* ז * ו ׳
< r»po׳tt*^o •׳t Cro*s » o l r!t«rfac
Post 9 Mod<i Ftc«rs >»4
Sal ( o M ttr iM t:
W eb S e rv e r P en T e s tin g CEH
Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses,
configuration errors, protocol related vulnerabilities, etc. in a web server
The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work
through all of the different application vulnerabilities
Verification of Vulnerabilities
To exploit the vulnerability in
order to test and fix the issue
W h y W e b s e rv e r
Pen T e s tin g ?
Remediation of Vulnerabilities Identification of Web Infrastructure
To retest the solution against To identify make, version, and update
vulnerability to ensure that it levels of web servers; this helps in
is completely secure selecting exploits to test for
associated published vulnerabilities
W e b S e r v e r P e n T e s t i n g
a n d r e p e a t a b l e t e s t s , a n d t o w o r k t h r o u g h a ll o f t h e d i f f e r e n t a p p l i c a t i o n v u l n e r a b i l i t i e s .
W h y W e b S e r v e r P e n T e s tin g ?
W e b s e r v e r p e n t e s t i n g is u s e f u l f o r :
v u ln e ra b ilitie s .
© V e r i f i c a t i o n o f V u l n e r a b i l it ie s : T o e x p l o i t t h e v u l n e r a b i l i t y in o r d e r t o t e s t a n d f i x t h e
is s u e .
START
U se s o c ia l e n g in e e rin g te c h n iq u e s t o c o lle c t
Search open sources in fo r m a tio n su ch as h u m a n re so u rce s,
Internet, newsgroups,
for inform ation about c o n ta c t d e ta ils , e tc . t h a t m a y h e lp in
the target
bulletin boards, etc.
W e b s e rv e r a u th e n t ic a t io n te s tin g
:
U se W h o is d a ta b a s e q u e ry t o o ls t o g e t th e
d e ta ils a b o u t th e ta r g e t su ch as d o m a in
Perform social Social networking, n a m e , IP a d d re ss, a d m in is tr a tiv e c o n ta c ts ,
engineering dumpster diving A u to n o m o u s S yste m N u m b e r, DNS, e tc .
1ר ־ ־ ח W e b S e r v e r P e n e t r a t i o n T e s t i n g
W e b s e r v e r p e n e t r a t i o n t e s t i n g s t a r t s w i t h c o l l e c t i n g as m u c h i n f o r m a t i o n as p o s s i b l e
a b o u t an o rg a n iz a tio n , ra n g in g f r o m its p h y s ic a l lo c a tio n to o p e ra tin g e n v iro n m e n t. The
f o l l o w i n g a r e t h e s e r ie s o f s t e p s c o n d u c t e d b y t h e p e n t e s t e r t o p e n e t r a t e w e b s e r v e r :
S t e p 1: S e a r c h o p e n s o u r c e s f o r i n f o r m a t i o n a b o u t t h e t a r g e t
T r y t o c o l l e c t as m u c h i n f o r m a t i o n as p o s s i b l e a b o u t t a r g e t o r g a n i z a t i o n w e b s e r v e r r a n g i n g
f r o m its p h y s i c a l l o c a t i o n t o o p e r a t i n g e n v i r o n m e n t . Y o u c a n o b t a i n s u c h i n f o r m a t i o n f r o m t h e
I n t e r n e t , n e w s g r o u p s , b u l l e t i n b o a r d s , e tc .
S t e p 2 : P e r f o r m S o c ia l e n g i n e e r i n g
P e r f o r m s o c ia l e n g i n e e r i n g t e c h n i q u e s t o c o l l e c t i n f o r m a t i o n s u c h as h u m a n r e s o u r c e s , c o n t a c t
d e t a i l s , e t c . t h a t m a y h e l p in w e b s e r v e r a u t h e n t i c a t i o n t e s t i n g . Y o u c a n a ls o p e r f o r m s o c ia l
e n g i n e e r i n g t h r o u g h s o c ia l n e t w o r k i n g s ite s o r d u m p s t e r d r i v i n g .
S te p 3: Q u e r y t h e W h o is d a ta b a s e s
Y o u c a n u s e W h o i s d a t a b a s e q u e r y t o o l s s u c h as W h o i s , T r a c e r o u t e , A c t i v e W h o i s , e t c . t o g e t
d e t a i l s a b o u t t h e t a r g e t s u c h as d o m a i n n a m e , IP a d d r e s s , a d m i n i s t r a t i v e c o n t a c t s , A u t o n o m o u s
S y s t e m N u m b e r , D NS, e tc .
S te p 4: D o c u m e n t a ll i n f o r m a t i o n a b o u t t h e t a r g e t
Y o u s h o u l d d o c u m e n t a ll t h e i n f o r m a t i o n o b t a i n e d f r o m t h e v a r i o u s s o u r c e s .
in fo rm a tio n -g a th e rin g te c h n iq u e s .
F in g e rp rin t w e b s e rv e r t o g a th e r in fo r m a tio n
יt
C ra w l w e b s ite t o g a th e r s p e c ific ty p e s
Use tools such as
Crawl w eb site o f in fo r m a tio n fro m w e b p a g es, su ch as
httprint, Metagoofil e m a il a d d re sse s
י1
E n u m e ra te W e b s erv er d ir e c to r ie s t o
E n u m erate w eb > Use tools such as
e x tr a c t im p o r ta n t in fo r m a tio n su ch as
d irectories DirBuster w e b fu n c tio n a litie s , lo g in fo r m s e tc.
ijp p ) W e b S e r v e r P e n e t r a t i o n T e s t i n g ( C o n t ’ d )
1םםם S t e p 5: F i n g e r p r i n t t h e w e b s e r v e r
P e r f o r m f i n g e r p r i n t i n g o n t h e w e b s e r v e r t o g a t h e r i n f o r m a t i o n s u c h as s e r v e r n a m e , s e r v e r
t y p e , o p e r a t i n g s y s t e m s , a p p l i c a t i o n s r u n n i n g , e t c . u s i n g t o o l s s u c h as ID S e r v e , h t t p r e c o n , a n d
N e tc ra ft.
S te p 6: P e r f o r m w e b s it e c r a w lin g
S te p 7: E n u m e ra te w e b d ir e c to r ie s
S te p 8: P e r fo r m a d ir e c to r y tr a v e rs a l a tta c k
W e b S e r v e r P e n e t r a t i o n T e s t i n g ( C o n t ’ d )
S te p 9: P e r f o r m v u l n e r a b i l i t y s c a n n in g
P e rfo rm v u ln e r a b ility s ca n n in g t o i d e n t i f y w e a k n e s s e s in a n e t w o r k u s i n g t o o l s s u c h as HP
W e b ln s p e c t , N essus, e tc . a n d d e t e r m in e if t h e s y s te m can be e x p lo ite d .
P e r f o r m a n H TTP r e s p o n s e s p l i t t i n g a t t a c k t o p a ss m a l i c i o u s d a t a t o a v u l n e r a b l e a p p l i c a t i o n
t h a t i n c l u d e s t h e d a t a in a n HTTP r e s p o n s e h e a d e r .
S te p 11: P e r fo r m a w e b ca ch e p o is o n in g a tta c k
P e r f o r m a w e b c a c h e p o i s o n i n g a t t a c k t o f o r c e t h e w e b s e r v e r ' s c a c h e t o f l u s h its a c t u a l c a c h e
c o n t e n t a n d s e n d a s p e c i a l l y c r a f t e d r e q u e s t , w h i c h w i l l b e s t o r e d in t h e c a c h e .
S te p 12: B r u te fo r c e lo g in c r e d e n t ia ls
B r u t e f o r c e SSH, FTP, a n d o t h e r s e r v i c e s l o g i n c r e d e n t i a l s t o g a i n u n a u t h o r i z e d a c c e ss .
S te p 13: P e r fo r m s e s s io n h ija c k in g
P e r f o r m s e s s io n h i j a c k i n g t o c a p t u r e v a l i d s e s s io n c o o k i e s a n d IDs. Y o u c a n u s e t o o l s s u c h as
B u r p S u it e , H a m s t e r , F i r e s h e e p , e t c . t o a u t o m a t e s e s s io n h i j a c k i n g .
v
S Perform M ITM attack to access
sensitive information by
Perform MITM
intercepting and altering
attack communications between an end-
user and webservers
V
״ Note: Refer Module 13: Hacking
Perform w eb Web Applications for more
application pen information on how to conduct
testin g web application pen testing
V __________
a Use tools such as Webalizer,
Examine AWStats, Ktmatu Relax, etc. to
W e b s e rv e r logs examine web sever logs
V
S Use to o ls su ch as A c u n e tix ,
Exploit
M e t a s p lo it , w 3 a f, e tc . t o e x p lo it
fram ew o rk s fra m e w o r k s
W e b S e r v e r P e n e t r a t i o n T e s t i n g ( C o n t ’ d )
S te p 14: P e r fo r m a M I T M a tta c k
c o m m u n ic a tio n s b e tw e e n an e n d u s e r a n d w e b s e rv e rs .
v u ln e r a b ilitie s . A t t a c k e r s c a n c o m p r o m is e a w e b s e rv e r e v e n w it h t h e h e lp o f a v u ln e r a b le w e b
a p p lic a tio n .
S te p 16: E x a m in e w e b s e r v e r logs
W e b a l i z e r , A W S t a t s , K t m a t u R e la x , e tc .
S te p 17: E x p lo it f r a m e w o r k s
E x p lo it t h e f r a m e w o r k s u s e d b y t h e w e b s e r v e r u s in g t o o ls s u c h as A c u n e tix , M e t a s p lo it , w 3 a f,
e tc .
S te p 18: D o c u m e n t a ll t h e fin d i n g s
S u m m a r i z e a ll t h e t e s t s c o n d u c t e d s o f a r a l o n g w i t h t h e f i n d i n g s f o r f u r t h e r a n a ly s is . S u b m i t a
M o d u le S u m m a r y CEH
כ Vulnerabilities exist in different releases of popular w ebservers and respective vendors
patch th e s e often
כ The inherent security risks owing to th e com prom ised w ebservers have im pact on th e
local area netw orks th a t host th e se w ebsites, even on th e norm al users of w eb brow sers
□ Looking through th e long list of vulnerabilities th a t had been discovered and patched
over th e past few years, it provides an attacker am ple scope to plan attacks to unpatched
servers
□ Different tools/exploit codes aid an attacker in p erp etratin g w eb serv er's hacking
□ C ounterm easures include scanning for th e existing vulnerabilities and patching them
im mediately, anonym ous access restriction, incoming traffic req u est screening, and
filtering
■=־V '
y M o d u l e S u m m a r y
© W e b s e r v e r s a s s u m e c r it ic a l i m p o r t a n c e in t h e r e a l m o f I n t e r n e t s e c u r i t y .
© V u l n e r a b i l i t i e s e x is t in d i f f e r e n t r e l e a s e s o f p o p u l a r w e b s e r v e r s a n d r e s p e c t i v e v e n d o r s
p a tc h th e s e o fte n .
© T h e i n h e r e n t s e c u r i t y ris k s o w i n g t o t h e c o m p r o m i s e d w e b s e r v e r s i m p a c t t h e lo c a l a r e a
n e tw o r k s t h a t h o s t th e s e w e b s ite s , e v e n o n th e n o rm a l u s e rs o f w e b b ro w s e rs .
© L o o k in g t h r o u g h t h e lo n g lis t o f v u ln e r a b ilit ie s t h a t h a d b e e n d is c o v e r e d a n d p a t c h e d
o v e r t h e p a s t f e w y e a rs , it p ro v id e s a n a tta c k e r a m p le s c o p e t o p la n a tta c k s t o
u n p a tc h e d se rve rs.
© D i f f e r e n t t o o l s / e x p l o i t c o d e s a id a n a t t a c k e r in p e r p e t r a t i n g w e b s e r v e r ' s h a c k in g .
© C o u n te r m e a s u r e s in c lu d e s c a n n in g f o r th e e x is tin g v u ln e r a b ilitie s a n d p a tc h in g th e m
filte rin g .