© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_9

9. Hacking Webservers

Ahmed Sheikh1  
(1)
Miami, FL, USA
 

In this chapter, you will learn about what occurs in the process of hacking a web server. You will gain an understanding about the basic architecture of a web server and will be introduced to the vulnerabilities associated with them. You will also learn about effective countermeasures to protect against a web server attack.

By the end of this chapter, you will be able to
  1. 1.

    Define web server architecture.

     
  2. 2.

    Describe web application attacks.

     
  3. 3.

    Explore various web server attacks.

     

Web Server Security Vulnerabilities

A web server presents different problems for different types of users. For example, a webmaster may be concerned that the web server will expose the LAN to threats via the Internet. A network administrator may be concerned that a poorly configured web server will provide a hole in the local network’s security. The end user may be concerned that active content like ActiveX or Java will make it possible for applications to invade the user’s system. See Figure 9-1.
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig1_HTML.jpg
Figure 9-1

Web server security vulnerabilities

Types of Risk

Browser-side risks affect the end user and can include active content that can crash a browser or result in the misuse of personal information. Eavesdroppers can capture network data transmitted on the network.

Bugs and configuration errors permit unauthorized remote users to steal classified information, execute commands to alter the configuration, retrieve host-based information to be used to compromise a system, and launch DoS attacks.

Web Server Attacks

Web site defacement is an attack that changes the appearance of the site or a webpage. Religious and government websites are often targeted to spread political messages by hacktivists. These attacks can come in the form of man-in-the-middle attacks, brute force attacks, DNS attacks, SQL interjections, directory traversal attacks, and remote service intrusions.

The Internet Information Service (IIS), Microsoft’s web server, has been a frequent target of attacks. The specific vulnerabilities exploited include ::$DATA vulnerability, showcode.asp vulnerability, piggybacking vulnerability, buffer overflow, and WebDAV/RPC exploits.

IIS Components

When you look at the various components used by IIS to provide functionality, it is no wonder that web server security can be a challenge. IIS relies on a collection of DLLs that work together with the main server process to provide all of its capabilities.

Components of an IIS include the following:
  • Protocol listeners (HTTP.sys)

  • Web services (WWW services)

  • Activation services

  • BITS server extension

  • Common files

  • FTP service

  • FrontPage Server Extensions

  • IIS Manager

  • Internet printing

  • NNTP service

  • SMTP service

IIS Logs

Network administrators use the log files captured with IIS as an important part of web server administration. Combining the IIS log files with other monitoring records can strengthen any evidence and give it greater credibility.

The rules for logging include
  1. 1.

    Configuring logs to record every available field.

     
  2. 2.

    Capturing events with a time stamp.

     
  3. 3.

    Ensuring continuity.

     
  4. 4.

    Ensuring logs are not modified after the original recording.

     

Web Server Security

A number of steps can be taken to increase web server security regardless of the web server you are using. You can use firewalls; rename administrator accounts; disable default web sites; remove unused application mappings; disable directory browsing; post legal notices; install service packs, hotfixes, and templates; and disable remote administration.

Web Server Security Checklist

  1. 1.

    Patches and updates: To reduce the risk of housing harmful software viruses, it is important to download patches and updates. They help protect by removing unnecessary information and build on the active support you have on your system.

     
  2. 2.

    Auditing and logging: Auditing and logging help as you can enable and log failed logon attempts, relocate IIS log files, lock down servers, and secure sites and virtual directories.

     
  3. 3.

    Services: Reducing the number of services or disabling unneeded protocols reduces the attack surface of the web server. You have to ensure, though, that the required functionality of the web server has not also been reduced too greatly. Protocols you want to disable are WebDAV, NetBios, and SMB.

    Script mapping is a security measure to be used and you can map files with .idq, .htw, .ida, .shtml, .shtm, .stm, .idc, .htr, and .printer to the 404.dll extensions. You can also use ISAPI filters, which watch information coming in and going out, and modify information to protect the system from attacks.

     
  4. 4.

    Protocols: It is important to disable guest accounts and those that are not in use, rename the administrator account, and disable null user’s connections. One more security measure you can do is to remove administrative shares such as C$ and Admin$.

     

Apache Web Server Security Checklist

The majority of web servers are Linux-based and use Apache Web Server software. The security checklist shown provides some guidance specific to Apache. Although there is much more involved in securing a web server, it is beyond the scope of this book.

The security checklist for Apache Web Servers is as follows:
  1. 1.

    Disable unnecessary modules.

     
  2. 2.

    Run Apache as a separate user and group.

     
  3. 3.

    Restrict access to the root directory.

     
  4. 4.

    Set permissions for the conf and bin directories.

     
  5. 5.

    Disable directory browsing.

     
  6. 6.

    Disallow .htaccess.

     
  7. 7.

    Do not display or send Apache versions.

     

Using Armitage to Attack the Network

After running the scan to find open ports with Zenmap, scroll to 80/tcp on the Output tab. Examine the robots.txt file, which restricts the directory locations that web robots can transverse. Review Figure 9-2, which shows using Zenmap to scan the public IP address of the XYZ company and then selecting the Nmap Output tab.
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig2_HTML.jpg
Figure 9-2

Using Zenmap

Using Armitage

This is the Internet-facing Windows device, so you have to attack the IIS. Most IIS attacks, unfortunately, function against Windows 2000 machines. And it seemed that the banner messages indicated a Windows 2003 server.

To try the IIS WEBDAV attack, right-click 216.1.1.1 and choose Attack, then choose IIS from the options, and then choose iis_webdav_upload_asp. See Figure 9-3.
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig3_HTML.jpg
Figure 9-3

IIS WEBDAV attack

The target will change to red (with lightening) to indicate that it has been compromised.

As shown in Figure 9-4, type the following command to escalate privileges:

meterpreter > getsystem
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig4_HTML.jpg
Figure 9-4

Meterpreter 1

If an attacker is connected to a target on an internal network, they can use that machine to pivot and target other machines with private IP addresses on the internal network. Armitage can reveal what operating system and service pack level the target machine seems to be using upon scanning a machine. More ports on machines on internal networks are likely to be open, as compared to machines directly connected to the Internet. If the attacker can connect to another victim, it will be shown with a red border. See Figures 9-5 and 9-6.
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig5_HTML.jpg
Figure 9-5

Configuring a remote attack

../images/505537_1_En_9_Chapter/505537_1_En_9_Fig6_HTML.jpg
Figure 9-6

Connecting to another victim

The attacker now has control of the Windows 2003 and 2008 machines on the internal network. The next move for the attacker is to attack the workstation running XP. See Figure 9-7.
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig7_HTML.jpg
Figure 9-7

More victims

Three compromised machines should now be on the internal network. On all of these Microsoft Windows systems, you also have SYSTEM level access. After acquiring network control, the attacker may carry out post-exploitation activities, including installing malware, executing programs, dumping hashes, stomping time, disrupting services, killing processes, and stealing information. See Figure 9-8.
../images/505537_1_En_9_Chapter/505537_1_En_9_Fig8_HTML.jpg
Figure 9-8

Compromised machines

Summary

This chapter introduced you to various security concerns surrounding web servers. This information is essential for server administrators who have to address a number of security concerns including malicious code, network security, and server bugs to keep systems up and running. In this lesson, you gained knowledge regarding web servers including their architecture, vulnerabilities, and the countermeasures to protect against web server attacks.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.81.61.14