Certified Ethical Hacker - Part 11-1 - Hacking Web Server

by Riazul H. Rozen
Jan. 31, 2018 0 comments 3 minute read Certifications CEH
Download PDF

Web Servers and the Underlying Security Issues Surrounding It

Web servers consist of both hardware and software, which are used to host websites, but unlike network and operating systems, they can be accessed anywhere on the internet. Their easily accessible nature makes it easy for attackers to take advantage of the software weaknesses and system configuration errors, thereby compromising the system.

When attackers take advantage of these systems, a good number of negative influences could occur. From website defacement to data theft, modification, and compromise of user accounts. Attackers could also gain root access to other servers or applications.

Attackers could gain access to web servers due to the following reasons -

  • Invalid authentication process with external systems
  • Lax security with regards to default accounts and default or no passwords
  • Bugs in web and OS applications
  • Installing servers with default settings
  • Implementing self-signed or default certificates
  • Easily accessible debugging functions on web servers
  • Inappropriate file and directory permissions

Types of Web Server Attacks

DoS/DDoS attacks

These attacks are used to gain credentials for further nefarious acts. Here, the attacker plows the web servers with a lot of requests, causing the server to be inaccessible to validated users. Attackers use this method for high profile servers such as government organizations, banks or credit card payment gateways.

DoS/DDoS attacks

When these attacks are successful, they result in service downtime, lack of trust between clients and organization owners, financial losses and many more.

DNS server hijacking

Here, the attacker takes over the DNS or modify the DNS settings to redirect all requests from the victim web server to the hackers malicious servers.

DNS server hijacking

When the DNS server has been compromised, and the target machine sends a request to the server, the server checks the DNS map for the requested domain name, and this is where the attacker is able to redirect the user request to its malicious site.

DNS amplification attack

This uses the DNS recursive method, to redirect the DNS.

What is the DNS recursive method?

This is the process whereby a user tries to figure out the IP address of another system, requesting that the answer is sent to the users IP address. This question goes from the primary server to the root server, and if the root servers are unable to give an answer, they give a website where this IP address can be found. This address redirects the question to the primary server of the IP address the user seeks and this answer is sent back to the users IP address, through its primary server.

DNS recursive method

Directory Traversal Attacks

Here, the attacker uses a sequencing method, to gain access to limited directories located outside the root server directory. Attackers could also use an investigative trial and error method to discover sensitive information outside the root server directory.

Directory Traversal Attacks

Man-in-the-middle attack

The man-in-the-middle, also known as the sniffing attack, is used to intercept communications between the user and web server, and ultimately gain sensitive information, by acting as a proxy. How this is done, is the attacker intercepts the user communicating with the web server, by stealing session IDs, and using these IDs to connect with the web server, such that when the user sends a request to the web server, the attack is able to replay that request, and also have access to the response the web server sends to the user, without the victim knowing about it.

Man-in-the-middle attack

Phishing attacks

The attacker tricks the user into divulging login details of a particular website server, by putting up a fake webpage. When the details have been stolen, the attacker poses as the legitimate user and performs unauthorized activities on the target website server.

Website defacement

This is used by an attacker to modify the current outlook of the target website, to graphics or words that are generally offensive. This is done with the objective of defacing and discrediting the target website. The modification stays that way until the owner gains back access to the website settings; hence visitors or clients are privy to misleading information. The attackers perform this malicious act with different techniques, one of which is the MYSQL injection.

Web server misconfiguration

The attackers take advantages of the vulnerabilities in the system, for instance, remote administration functions, default SSL certificates, script files, error messages, and default passwords, to perform malicious acts such as theft, intrusion and directory transversal.

SSH brute force attack

When there is need to transfer unencrypted data over an insecure network, the SSH protocols are used to create an SSH tunnel to process this data. Attackers could brute force these tunnels, gain unauthorized access to the system, and transmit malware and other malicious applications through the tunnels.

Brute force attack

Web server Password Cracking

Here, the attacker tries to gain access to passwords of well-protected sections. For instance root administration, demo, test, guest as well as others, through methods such as spoofing, phishing, social engineering, Trojan horses and so on.

The passwords cannot be cracked if the attacker cannot prove their validity as users of the systems, and while these passwords can be cracked manually, they can also be cracked with tools such as Brutus, Cain and Abel and so on.

Other techniques for cracking includes

Guessing: this could be done manually or with tools, provided a dictionary of probable words is put in place.

Dictionary attacks: here a list of probable words is run in the system, and as long as the password is simple, this method is likely to crack the password.

Hybrid attacks: they are similar to dictionary attacks, with the inclusion of numbers and symbols.

How to counter web server attacks.

  • For patches and updates
  • Scan for weaknesses
  • Read all documentation, before carrying out any application
  • Always ensure the system is updated, regardless of how minute and inconsequential it seems
  • Test the service packs and hotfixes before implementing them on the original system.
  • Ensure there is homogeneity on all hotfixes and service packs across domain controllers
  • Have a backup plan or a retrieval spot, to ensure the system returns to its original state, in case of a failed implementation process.

Published with the express permission of the author.