For attackers to successfully perform a web server attack, the following methods can be implemented -
Gaining information of the target company
Web server footprinting
Mirroring the website
Hacking web server
Gaining information of the target company
Attackers gain information such as IP addresses, domain name, autonomous system numbers and others, using tools like whois, traceroute, and active whois on places like the internet, company bulletin boards, and newsgroups.
Attackers can also search through the robot.txt file, to get information that the website owner would rather keep from the reach of web crawlers. Information such as root directory structure and content management system information can be gotten from this set of hidden web server directory and files, by requesting for the file through URL.
Web server footprinting
Attackers use tools such as Netcraft, httprecon, and ID serve to carry out footprinting exercises. The question then is what is footprinting? Footprinting is a method used by attackers to retrieve valuable information from their target systems. Information ranging from account details, operating systems, server names, database schema details and software versions can be gleaned from this process.
Nmap commands and Nmap scripting engine scripts can also be used to gain information from a target system. For instance, to gather information on IP addresses for both map commands and scripting respectively:
map sV –O –p target IP address
map –sV – - script=http-enum target IP address
Mirroring simply means duplication. Here, the attackers create a carbon copy of the system’s file structure, directory structure, and external links and so on. Tools such as HTTrack, WebCopier Pro, BlackWidow and others, are used to mirror a website, for the purpose of making footprinting activities more efficient.
Tools such as HT WebInspect, Acunitex web vulnerability scanner and others are used to scan the target system for weaknesses with the objective of discovering if these systems are exploitable. Apart from vulnerabilities, host, services and network traffic can also be searched to find out active systems, network services and applications present in the target system.
These tools could also be used to run tests on the web server to determine if there are any misconfigurations present, as well as out-dated content.
Session fixation, session sidejacking, and cross-site scripting are just a few of the method used to gain valid session IDs by attackers. These IDs are used to hijack an on-going session between two communicative systems, which creates a host of opportunities for the attackers in terms of gaining information from the target system. Tools such as Burp Suite, JHijack and Firesheep are just a few of the software used to ensure that a session hijacking is successful.
Hacking web server passwords
THC-Hydra and Brutus are two of the many tools that can be used by attackers to crack web server passwords, with techniques ranging from dictionary attacks to hybrid attacks.
Web server Attack Tools
Apart from being an exploitation development platform, Metasploit also acts as a research tool and a penetration testing toolkit.
This tool is used to exploit a web server’s vulnerability and weak passwords on platforms like telnet, SSH, HTTP, and SNM.
This tool also has an exploit module which is used for large-scale exploitation as it targets multiple platforms at a go. Fitted with simplified meta-information fields, the users can attempt passive exploits in addition to brute force attacks, and dynamic exploitation behavior modification.
The payload module is implemented using a command from command prompt, and it forms a connection between the Metasploit framework and the victim host.
Fuzzing, denial of service and port scanning are just some of the activities that can be carried out using the auxiliary module. This module can be executed using the run or the exploit command.
NOPS module is used to generate no-operation instructions, used for blocking out buffers and this module can be executed with the generate command.
This is used by the attacker to exploit an HTTP request, after which this request is sent to a web server to see the raw HTTP request and response data.
This tool also allows the attackers test the performances of websites with new components or wireless protocols.
Countermeasures for web server attackers
web hosting network
For web servers
to be properly protected, it is important that the web hosting network is designed in three compartments; internal segment, internal network, and secure server security segment.
The server security segment is always separated from the public and internal networks; hence this is where the web server should be placed.
With regards to firewalls as security, there should be one for the internal network and another for the internet traffic moving towards the server security segment.
Restrict all unnecessary ports, protocols such as NetBIOS and SMB and internet message control protocol traffic
Telnet, POP3, SMTP, and FTP are some insecure protocols. If these protocols are to be used, it is necessary to provide secure validation and communication modules i.e using IPSec policies.
Consistently use latest software patches and constantly update the system software. Also, it is necessary to harden the TCP/IP stack.
Use tunneling and encryption protocols to cover communication situations requiring remote access.
Use WebDAV when required, if not, disable.
Eliminate all unused application extensions and modules
Ensure that the proper web permissions, NTFS permissions and .NET framework access control and URL authentication is used
Use strong password policies to prevent dictionary and brute force attacks.
In cases of login failures, ensure that proper audit and alert measures are taken
Ensure that any default account implemented during the installation of a new operating system is deleted
Prevent SQL poisoning, by using the principle of least privilege
Remove unnecessary database users and stored procedures
For new webroot directories, use the least possible NTFS permission for anonymous users to regulate their access to the web server web content.
For files and directories
Don’t map virtual directories between two servers
Create a resource mapping to disable serving specific file types
Eliminate all unnecessary .jar files
Disable serving of directory listing
Remove sensitive configuration information from the bytecode
Remove the presence of non-web files. For instance archive files.
Published with the express permission of the author.