Hacking Web Servers (Whiteboard)

[toggle_content title="Transcript"] In this module I want to talk about hacking web servers which leads up to our next module of hacking the actual web applications. So let us take a look at this target. So first thing is understand the landscape of what happens on the wild wild web. Product line IIS has about 70% of the market. Apache has a whopping 65% of the market mostly because of the hosting services. it is real easy to kind of duplicate and virtualize the Apache as opposed to IIS. Inginx comes in at 13% and then everything else Google Lyke they all make up the rest of the market space. So most of what we do here is either going to be Apache based or Windows based. Impact the results of what happened is the web server world, if things were to go wrong. Most likely website defacement. This is where somebody gets access to your stuff and puts the some other banner or something on your homepage which basically says you have been hacked by so and so. Ultimately that can lead to some sort of compromise yet to really determine what the compromise means but a compromise is either in confidentiality, integrity, availability, authentication. User accounts what ever it is - if somebody compromises your website. Ultimately they can start tampering with the data. Tampering comes in very quickly, so it is either manipulating changing the integrity or attack against integrity to your web servers or theft of information. Could be things like credit cards or financial information or whatever it is an attack on integrity. It is a attack on confidentiality or just stealing the stuff they have possessed or what I think it is more important. A pivot point you get access to someone's web server and that access is a pivot point for you to get into the internal network and then you can have your way with the organization. So we typically use this front end back end approach if you can tap into the front end and use that as the pivot point. Now you can do after the internal things like active directory or internal dns etc. So there is all sorts of techniques that can be used here. There is literally no shortage and it does help to have a programming background here. Not necessarily required but there is a lots of keywords and buzzwords to get real confusing really quick. So stay with me. Directory traversal this is really navigating the web servers directory, in some way. We can typically call this the ../ technique because that is a easy way to navigate up and down the directory tree. So you may want to start with where ever the web server is hosted the directory on which the web server is hosted ../ ../ ../ all over the way up to the root and then go back down and grab something like command prompt or something like that. Also http response splitting this is where the attacker sends code either to the client or to the web server but nonetheless it has to go to the web server and you send multiple requests to the web server and then you get multiple requests back. So it is forcing the web server to basically send multiple responses back and what should be the attacker or the penetration tester and then take advantage of web cache poisoning. Whatever web cache is on the web server if you can poison it and insert your malicious code or something to that effect. Well then penetration tester can take advantage of that - SSH brute force. This is really trying to get inside the encrypted tunnels if you can get in their whether depending on the algorithm but if you can get inside the encryption tunnels. Good news for you the penetration testers also the mail techniques these are applicable here. Password cracking techniques have a little node here - dictionary brute force or hybrid any of those are technically fair game. Form tampering, command injection, sending a command to the server saying shut down or give me the command prompt or give me IP config whatever it is. Ultimately getting the application to execute operating system commands. Tampering with cookies or doing a buffer overflow attack there is whole module on that coming on. Denial of service or distributed denial of service or cross site requests forgery or SQL injection or cross side scripting or even session hijacking. Notice that our web front ends are basically the portal in which all of these other style attacks can basically come into play. So there is no shortage of really valuable pen testing techniques - so we talked about the technique let us talk about why does this stuff happen to begin with. It is because web servers or developers and not all developers are security people. Not all security people are developers and franking everybody is lazy these days. So you have unnecessary files, unnecessary backups, unnecessary configurations, you haven't hardened your system which increases the surface area of attack which gives the penetration tester more options to go after. Plus there might be a security conflict between security and functionality – functionality we want ABC 12 & 3 to happen and then security people are often considered the naggers or you can't do that because of ABC or whatever it is - typically the functionality part is going to win. We want the applications to function - now security people are really people to go making everybody's lives miserable as some say but somebody has got to put the fun in functionality. I would like to think the security folks of the guys that do that default settings. If there is default settings, default configuration, default accounts well the pen tester is certainly try to take advantage of them. Permissions default permissions what directories are set up to read - write or execute and if you can go after an executable directory. Great like for example if I can upload a page to any directory that is executable well now I can upload the file to that executable directory the php file and now I can running my own scripts and my own attacks from that. So you always look for vulnerable access control - mis configurations in whatever shape they come. Default accounts for example the first account created is the administrator account - second is normally the guest account. So the attacker knows this and is certainly going to try to go after that in terms of enumerating the accounts. Also plenty of security bugs and flaws remember we are the business to make money. The industry is in the business to make money, so there is a always a rush to get things to the marketplace. So we don't take this regular - security development or software development. To the point where it is just perfect it is normally get it out there and whatever security weakness we find. We are going ahead and patch etc. Also temporary certificates or temporary SSL let us say that you protect the login features of your website but as soon as you login you go back to clear text. Well that is a field of dreams for a penetration tester because now you are outside of the encrypted session or improper authentication. How about no hardening - therefore you have a large surface area of attack that it gives the penetration tester tons of space to go after or the fact that joomla, drupal, WordPress now anybody can be a programmer. So literally grand moms could go to WordPress, start downloading it and a few clicks later she can have her own point and click website. Well grandmom is not probably going to be your penetration tester - apologize to all the grandmothers out here who are penetration testers. You know what I am talking about - it is basically programming out of a box. If anybody can do it well then you subject yourself to the rest of the internet and anybody can start probing your websites. Let us go up to methodology the penetration testing methodology here is relatively simple. You basically do some information gathering, your foot print find out your surface area. Is is Joomla or WordPress is it Apache is it IIS is it Inginx - what does your destination look like. Try to enumerate and foot print those services and in some cases you can even just mirror the website. I am not a fan of mirroring tools because it is pretty aggressive at least from the log file analysis point of view because when you are looking at log files it is literally looks like the whole website is getting a ripped down. But I don't like mirroring but I do like mapping out a directory or an application through what appears to be normal browsing activities. This is where tools like the burp suite come in play because as you naturally surf it slowly starts to building that directory structure without just ripping the whole thing down and then finally doing vulnerability scans and then exploitation. So you have to know what the weaknesses are so that you can ultimately exploit them This is where the metasplaid framework has literally been wonders for the world of penetration testers because with a little bit of expertise. You have just tons and tons of vulnerabilities or exploits which take advantage of those vulnerabilities. A couple of more vibes over here the penetration tester is always looking for error messages because just like from an functionality point of you view. You need an error message in order to fix something. Well a penetration tester needs an error message or some sort of verbose logging to ultimately give the penetration tester more ammunition to go actually after. Plus anonymous users or any sort of sample configuration or scripts these are all valid for the pen tester. Remote admin capabilities since we are all over the web, nobody wants to go office to do anything anymore. So let us take advantage of remote administration that becomes a problem now because hackers can now go after this remote admin portals as well. Any sort of unnecessary services or misconfigurations. Those are also additional features of why - so now we have got the basic methodology of web server hacking - let us look at some of the most common counter measures in the grand scheme of things when you buy them. So patches - you should have a patch management process - at this point. If you don't that is a problem - alternative sites versus alternative servers while in the world of business continuity we have alternative sites. Hot sites, warm sites or cold sites you can also apply that similar style of thinking to an alternative server in other words if you are primary server goes down. What about having a hot stand by - or maybe even a cold site that way you can keep your business up and running. Don't do you testing in the production environment it is real easy to go okay. It is just a little file that you need upload - upload it and be done with it. But realistically all of the testing should be done in the testing validation environment and those changes should go through a change control process and then ultimately it gets your production environment. Also makes sure that you have got backups and if you require higher availability make sure you can literally flip a switch and go to another server. Another counter measure. Hire me! What that means is hire someone like me to come in and show you the weakness and tell you what you are going to need to fix them. Then you can either you will fix them or you will hire somebody else to fix them - hire someone like ourselves. Get us involved - we have too much of an opinion and expertise on this stuff for you to blatantly ignore it. So the hire concept is - don't be cheap about this stuff. You are always going to pay for it. Your only choice in this it is cheaper proactively upfront or a much more costly if it is going to be reactively. If you have to detect and correct there is always ten times more expensive than just proactively getting an opinion to have a penetration tester come in and look at this stuff. Could protocol analysis for using things like SMTP, POP3, IMAP monitor that stuff for using directory services like LDAP. Monitor it whatever your web service architecture looks like actually monitor it. Do your protocol analysis, find out what is normal have a baseline and be able to compare against it. Monitor accounts that is another very, very easy one. How many useless accounts get created in your web application or are you disabling them. Is there some sort of manual approval process or just anybody can create a account for sake of a creating an account. Now a days we associate the growth of accounts with productivity and we don't want to delete anybody's account for fear of making them upset but realistically creating an account and validating an account should go hand in hand these days. Also monitor the files and directories - you may see a file uploaded to a web site but an exploit might happen two or three months later. They are just uploading the file to the website to see if anybody is looking alight. It is kind of like breaking into a house you might break and be able to pick the lock that might be time to actually go and rip out the television set out of the house. You might want to just get access to the house and then come back a month later when the people are on vacation and then take the television. Using an analogy from the physical world. Encryption, encryption, encryption you can never encrypt enough. Network layer with IPSec or equivalent or at the application layer SSL TLS or some equivalent. Especially application layer encryption. One of the things that happens in the home environment is it is really easy on a LinkSys router to go ahead and move something virtually from the inside of your network tab on dmc by a click of a button inside your LinkSys home router that obviously if you are doing something out of home that may be applicable but you are certainly at a click of a button putting whole server right out on the internet. You wouldn't want to take that approach in the corporate environment - that means the equivalent or putting your security database right out on the internet. You know at a click of a button - have a good architecture separate your presentation or your application and your data in three separate zones and monitor that with firewalls and intrusion detection etc. Use good architecture not just your classic academic DMZ picture. Actually separate it out there is plenty of good resources if you actually want to know what architecture look like. Next vulnerability scanning do it yourself. Use tools like Nic2 or VIc2 or Nesses or any of the top ten vulnerability scanners out there and see what your own vulnerabilities are proactively yourself and then fix the vulnerabilities or at least valid that they are accurate. Don't just not do it that is literally like you know driving down the highway with no safety mechanisms what so ever. It is a dangerous world out there - the world of the internet is no different than literally driving on the highway. So find out where you are weak you get into your car and find out you are way to get to an accident. It was because my tyres were bald and they didn't have any tread. Proactively seek this stuff out and then lastly the concept of beta loss prevention or DLP. These tools typically sell themselves because you can get a loan or piece of equipment for data loss prevention and you can see as you are bringing stuff in the front door. Somebody else is taking the stuff right off the back door. So data loss prevention technologies are put in place to go ahead and define what good criteria is or what sensitive information is like social security numbers, emails, accounts, banking statements etc. To monitor that and so that if you see someone emailing a social security number out then that information gets quarantined and you have to get an exception if it is authorized legitimate use of that. So data loss prevention has really only come out in the last couple of years or so and started being mainstream. Remember we didn't have patch management processes or robust change management processes either and it is just now that everybody is familiar with patch management or change management. i have seen plenty of change control boards and patch management processes and most of them that I have seen in my opinion are a joke. They don't serve the purpose - and here how you know if you need help in the change management or patch management process. If everybody complains about it – you are not doing it right. Remember change management is really your proactive way of getting into your environment to detect and correct things prior to going to production. Change management is not just got to go to the change management board again and we got away for this. Then it is a very reactive process and probably not, you client is wasting a lot of time and money jumping through the hoops. Change management should proactively be saving the company money if it is done correctly. If it is not and you have it - it not being done correctly. Then you have got to implement a six sigma methodology find out your as is and what your tour should look like and then go ahead and get to that ideal state. So that it actually works and saves you money? So all in all hacking web servers is a lot of technologies most of them are market shares being IIS and Apache. Easy methodology to go ahead and hack this stuff lots of reasons why this stuff goes wrong and a bunch of measures basically common sense oriented. So this is the setup for what we see in the hacking web applications which is the next module. So let us go ahead and look at some examples. [/toggle_content] This whiteboard lecture addresses how to hack web servers. The purpose of ethical hacking is to evaluate the security of a network or system's infrastructure. There are many different methods and techniques that are used when hacking web servers and it is important to understand all of them so we can learn how to prevent these attacks.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?