Certified Ethical Hacker - Part 11-2 - Hacking Web Server

by Riazul H. Rozen
Jan. 31, 2018 0 comments 3 minute read Certifications CEH
Download PDF

Methods for carrying out Web server attacks

For attackers to successfully perform a web server attack, the following methods can be implemented - Gaining information of the target company Web server footprinting Mirroring the website Hacking web server Session Hijacking Vulnerability scanning

Gaining information of the target company

Attackers gain information such as IP addresses, domain name, autonomous system numbers and others, using tools like whois, traceroute, and active whois on places like the internet, company bulletin boards, and newsgroups.

Attackers can also search through the robot.txt file, to get information that the website owner would rather keep from the reach of web crawlers. Information such as root directory structure and content management system information can be gotten from this set of hidden web server directory and files, by requesting for the file through URL.

Web server footprinting

Attackers use tools such as Netcraft, httprecon, and ID serve to carry out footprinting exercises. The question then is what is footprinting? Footprinting is a method used by attackers to retrieve valuable information from their target systems. Information ranging from account details, operating systems, server names, database schema details and software versions can be gleaned from this process.

Nmap commands and Nmap scripting engine scripts can also be used to gain information from a target system. For instance, to gather information on IP addresses for both map commands and scripting respectively:

  • map sV –O –p target IP address
  • map –sV – - script=http-enum target IP address

Website mirroring

Mirroring simply means duplication. Here, the attackers create a carbon copy of the system’s file structure, directory structure, and external links and so on. Tools such as HTTrack, WebCopier Pro, BlackWidow and others, are used to mirror a website, for the purpose of making footprinting activities more efficient.

HTTrack

Vulnerability scanning

Tools such as HT WebInspect, Acunitex web vulnerability scanner and others are used to scan the target system for weaknesses with the objective of discovering if these systems are exploitable. Apart from vulnerabilities, host, services and network traffic can also be searched to find out active systems, network services and applications present in the target system.

Vulnerability scanning

These tools could also be used to run tests on the web server to determine if there are any misconfigurations present, as well as out-dated content.

Session Hijacking

Session fixation, session sidejacking, and cross-site scripting are just a few of the method used to gain valid session IDs by attackers. These IDs are used to hijack an on-going session between two communicative systems, which creates a host of opportunities for the attackers in terms of gaining information from the target system. Tools such as Burp Suite, JHijack and Firesheep are just a few of the software used to ensure that a session hijacking is successful.

Session Hijacking

Hacking web server passwords

THC-Hydra and Brutus are two of the many tools that can be used by attackers to crack web server passwords, with techniques ranging from dictionary attacks to hybrid attacks.

Web server Attack Tools

Metasploit

Metasploit
  • Apart from being an exploitation development platform, Metasploit also acts as a research tool and a penetration testing toolkit.
  • This tool is used to exploit a web server’s vulnerability and weak passwords on platforms like telnet, SSH, HTTP, and SNM.
  • This tool also has an exploit module which is used for large-scale exploitation as it targets multiple platforms at a go. Fitted with simplified meta-information fields, the users can attempt passive exploits in addition to brute force attacks, and dynamic exploitation behavior modification.
  • The payload module is implemented using a command from command prompt, and it forms a connection between the Metasploit framework and the victim host.
  • Fuzzing, denial of service and port scanning are just some of the activities that can be carried out using the auxiliary module. This module can be executed using the run or the exploit command.
  • NOPS module is used to generate no-operation instructions, used for blocking out buffers and this module can be executed with the generate command.

Wfetch

This is used by the attacker to exploit an HTTP request, after which this request is sent to a web server to see the raw HTTP request and response data. This tool also allows the attackers test the performances of websites with new components or wireless protocols.

Insert caption here

Countermeasures for web server attackers

web hosting network

For web servers

  • to be properly protected, it is important that the web hosting network is designed in three compartments; internal segment, internal network, and secure server security segment.
  • The server security segment is always separated from the public and internal networks; hence this is where the web server should be placed.
  • With regards to firewalls as security, there should be one for the internal network and another for the internet traffic moving towards the server security segment.

For protocols

  • Restrict all unnecessary ports, protocols such as NetBIOS and SMB and internet message control protocol traffic
  • Telnet, POP3, SMTP, and FTP are some insecure protocols. If these protocols are to be used, it is necessary to provide secure validation and communication modules i.e using IPSec policies.
  • Consistently use latest software patches and constantly update the system software. Also, it is necessary to harden the TCP/IP stack.
  • Use tunneling and encryption protocols to cover communication situations requiring remote access.
  • Use WebDAV when required, if not, disable.

For accounts

  • Eliminate all unused application extensions and modules
  • Ensure that the proper web permissions, NTFS permissions and .NET framework access control and URL authentication is used
  • Use strong password policies to prevent dictionary and brute force attacks.
  • In cases of login failures, ensure that proper audit and alert measures are taken
  • Ensure that any default account implemented during the installation of a new operating system is deleted
  • Prevent SQL poisoning, by using the principle of least privilege
  • Remove unnecessary database users and stored procedures
  • For new webroot directories, use the least possible NTFS permission for anonymous users to regulate their access to the web server web content.

For files and directories

  • Don’t map virtual directories between two servers
  • Create a resource mapping to disable serving specific file types
  • Eliminate all unnecessary .jar files
  • Disable serving of directory listing
  • Remove sensitive configuration information from the bytecode
  • Remove the presence of non-web files. For instance archive files.

Published with the express permission of the author.