In this chapter, you will learn about what occurs in the process of hacking a web server. You will gain an understanding about the basic architecture of a web server and will be introduced to the vulnerabilities associated with them. You will also learn about effective countermeasures to protect against a web server attack.
- 1.
Define web server architecture.
- 2.
Describe web application attacks.
- 3.
Explore various web server attacks.
Web Server Security Vulnerabilities
Types of Risk
Browser-side risks affect the end user and can include active content that can crash a browser or result in the misuse of personal information. Eavesdroppers can capture network data transmitted on the network.
Bugs and configuration errors permit unauthorized remote users to steal classified information, execute commands to alter the configuration, retrieve host-based information to be used to compromise a system, and launch DoS attacks.
Web Server Attacks
Web site defacement is an attack that changes the appearance of the site or a webpage. Religious and government websites are often targeted to spread political messages by hacktivists. These attacks can come in the form of man-in-the-middle attacks, brute force attacks, DNS attacks, SQL interjections, directory traversal attacks, and remote service intrusions.
The Internet Information Service (IIS), Microsoft’s web server, has been a frequent target of attacks. The specific vulnerabilities exploited include ::$DATA vulnerability, showcode.asp vulnerability, piggybacking vulnerability, buffer overflow, and WebDAV/RPC exploits.
IIS Components
When you look at the various components used by IIS to provide functionality, it is no wonder that web server security can be a challenge. IIS relies on a collection of DLLs that work together with the main server process to provide all of its capabilities.
Protocol listeners (HTTP.sys)
Web services (WWW services)
Activation services
BITS server extension
Common files
FTP service
FrontPage Server Extensions
IIS Manager
Internet printing
NNTP service
SMTP service
IIS Logs
Network administrators use the log files captured with IIS as an important part of web server administration. Combining the IIS log files with other monitoring records can strengthen any evidence and give it greater credibility.
- 1.
Configuring logs to record every available field.
- 2.
Capturing events with a time stamp.
- 3.
Ensuring continuity.
- 4.
Ensuring logs are not modified after the original recording.
Web Server Security
A number of steps can be taken to increase web server security regardless of the web server you are using. You can use firewalls; rename administrator accounts; disable default web sites; remove unused application mappings; disable directory browsing; post legal notices; install service packs, hotfixes, and templates; and disable remote administration.
Web Server Security Checklist
- 1.
Patches and updates: To reduce the risk of housing harmful software viruses, it is important to download patches and updates. They help protect by removing unnecessary information and build on the active support you have on your system.
- 2.
Auditing and logging: Auditing and logging help as you can enable and log failed logon attempts, relocate IIS log files, lock down servers, and secure sites and virtual directories.
- 3.
Services: Reducing the number of services or disabling unneeded protocols reduces the attack surface of the web server. You have to ensure, though, that the required functionality of the web server has not also been reduced too greatly. Protocols you want to disable are WebDAV, NetBios, and SMB.
Script mapping is a security measure to be used and you can map files with .idq, .htw, .ida, .shtml, .shtm, .stm, .idc, .htr, and .printer to the 404.dll extensions. You can also use ISAPI filters, which watch information coming in and going out, and modify information to protect the system from attacks.
- 4.
Protocols: It is important to disable guest accounts and those that are not in use, rename the administrator account, and disable null user’s connections. One more security measure you can do is to remove administrative shares such as C$ and Admin$.
Apache Web Server Security Checklist
The majority of web servers are Linux-based and use Apache Web Server software. The security checklist shown provides some guidance specific to Apache. Although there is much more involved in securing a web server, it is beyond the scope of this book.
- 1.
Disable unnecessary modules.
- 2.
Run Apache as a separate user and group.
- 3.
Restrict access to the root directory.
- 4.
Set permissions for the conf and bin directories.
- 5.
Disable directory browsing.
- 6.
Disallow .htaccess.
- 7.
Do not display or send Apache versions.
Using Armitage to Attack the Network
Using Armitage
This is the Internet-facing Windows device, so you have to attack the IIS. Most IIS attacks, unfortunately, function against Windows 2000 machines. And it seemed that the banner messages indicated a Windows 2003 server.
The target will change to red (with lightening) to indicate that it has been compromised.
As shown in Figure 9-4, type the following command to escalate privileges:
Summary
This chapter introduced you to various security concerns surrounding web servers. This information is essential for server administrators who have to address a number of security concerns including malicious code, network security, and server bugs to keep systems up and running. In this lesson, you gained knowledge regarding web servers including their architecture, vulnerabilities, and the countermeasures to protect against web server attacks.