Webservers can refer to either hardware (computer) or software (computer application) that helps to deliver Web content that can be accessed through the Internet. Web servers, like other systems, can be compromised by a hacker. Vulnerabilities such as Web defacement and webserver misconfiguration are most often exploited in webservers. 12.1 Web server attacks Exam Focus: Web server attacks. Objective includes: Understand open source webserver architecture. Examine IIS webserver architecture. Understand Website defacement. Understand why Web servers are compromised. Analyze impact of webserver attacks. Open source webserver architecture An open source web server is a program that permits administrators to run a website online and sell web space, if they desire. Security is a large factor, as a server going down takes all its associated information and websites with it; hence, the best open source web server will have strong encryption. The following is the open source webserver architecture: Apache is a stable, multiplatform Web server daemon. The key features of an Apache server are as follows: It is easy to configure. It supports server-side scripting as well as CGI scripts.
It contains a custom API that enables external modules, such as improved authentication, caching etc., to be utilized by the server. It is the most popular server used on the Internet. IIS webserver architecture Internet Information Service (IIS) for Windows Server is a flexible, secure, and easy-to-manage Web server. It is used for hosting anything on the Web. The following is the IIS webserver architecture: Web defacement Website defacement is an attack on a Website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a Web server and replace the hosted Website with one of their own. Sometimes, the defacer makes fun of the system administrator for failing to maintain server security. Most times, the defacement is harmless; however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware. A high-profile Website defacement was carried out on the Website of the company SCO Group following its assertion that Linux contained stolen code. Why are Web servers compromised? Web servers are compromised due to the following reasons: Lack of proper security policy, procedures, and maintenance Misconfigurations in webserver, operating systems, and networks Bugs in server software, OS, and Web applications Installing the server with default settings Unpatched security flaws in the server software, OS, and applications Unnecessary default, backup, or sample files Improper file and directory permissions
Unnecessary services enabled, including content management and remote administration Default accounts with their default passwords Administrative or debugging functions that are enabled or accessible Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Improper authentication with external systems Security conflicts with business ease-of-use case Impacts of webserver attacks The following are impacts of webserver attacks: Compromise of user accounts Website defacement Data tempering Data theft Secondary attacks from the Website Root access to other applications or servers DoS attacks on Web servers A Denial of Service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. The Denial of Service attack is targeted at routers. An attacker gains access to the router and changes the configuration file. It forces the router to stop forwarding packets and effectively disable all hosts behind the router. DoS attacks involve the following: Jamming Networks Flooding Service Ports Misconfiguring Routers Flooding Mail Servers DDoS attacks on Web servers In a Distributed Denial of Service (DDOS) attack, an attacker uses multiple computers throughout the network that has been previously infected. DDoS attacks involve the following attacks: FTP bounce attack Port scanning attack Ping flooding attack Smurf attack SYN flooding attack IP fragmentation/overlapping fragment attack IP sequence prediction attack
DNS cache poisoning SNMP attack Send mail attack FTP bounce attack The FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request. Ping flooding attack The ping flooding attack floods the victim's network or machine with IP Ping packets. At least 18 operating systems are vulnerable to this attack, but the majority can be patched. There are also numerous routers and printers that are vulnerable. Patches cannot currently be applied throughout a global network easily. Smurf attack The smurf attack is a type of attack that uses third-party intermediaries to defend against and get back to the originating system. In a smurf attack, a false ping packet is forwarded by the originating system. The broadcast address of the third-party network is the packet's destination. Hence, each machine on the third-party network has a copy of the ping request. The victim's system is the originator. The originator rapidly forwards a large number of requests via different intermediary networks. The victim gets overwhelmed by these large numbers of requests. IP fragmentation/overlapping fragment attack In an overlapping fragment attack, the reassembled packet starts in the middle of another packet. As the operating system receives these invalid packets, it allocates memory to hold them. This eventually uses all memory resources and causes the machine to reboot or hang. IP sequence prediction attack Using the SYN Flood method, a hacker can establish a connection with a victim machine and obtain the IP packet sequence number in an IP sequence prediction attack. With this number, the hacker can control the victim's machine and fool him into believing that it's communicating with another network machine. The victim's machine will provide requested services. Most operating systems now randomize their sequence numbers to reduce the possibility of prediction. DNS cache poisoning DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. This can happen through improper software design, misconfiguration of name servers, and maliciously designed scenarios exploiting the traditionally open-architecture of the DNS system. Once a DNS server has received such non-authentic data and caches it for future performance increases, it is considered poisoned, supplying the non-authentic data to the clients of the server. A domain name server translates a domain name (such as www.example.com) into an IP Address
that Internet hosts use to contact Internet resources. If a DNS server is poisoned, it may return an incorrect IP Address, diverting traffic to another computer. Cache poisoning attacks Normally, a networked computer uses a DNS server provided by the user's organization or an Internet service provider (ISP). DNS servers are generally deployed in an organization's network to improve resolution response performance by caching previously obtained query results. Poisoning attacks on a single DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. This technique can be used to direct users of a Website to another site that is of the attacker's choice. For example, an attacker spoofs the IP address DNS entries for a target Website on a given DNS server, replacing them with the IP address of a server he controls. He then creates files on the server he controls with names matching those on the target server. These files could contain malicious content, such as a computer worm or a computer virus. A user whose computer has referenced the poisoned DNS server would be tricked into accepting contents coming from a non-authentic server and unknowingly download malicious contents. 12.2 Examine webserver misconfiguration, and understand directory traversal attacks Exam Focus: Examine webserver misconfiguration, and understand directory traversal attacks. Objective includes: Examine webserver misconfiguration. Understand directory traversal attacks. Webserver misconfiguration Webserver misconfiguration denotes the configuration weakness in Web infrastructure. This weakness can be exploited for launching attacks on webservers such as directory traversal, server intrusion, and data theft. The various webserver misconfigurations are as follows: Unused services enable Remote Administration Misconfigured / Default SSL Certificates Error messages (404) Verbose debug Unknown or default user names and passwords Script files and sample configuration
Directory traversal A directory traversal consists of exploiting insufficient security validation/sanitization of user supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs. This type of attack accesses a computer file that is not intended to be accessible. This attack exploits a lack of security as opposed to exploiting a bug in the code. It is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Prevention methods of the directory traversal attack A Web Administrator can take the following steps to stop a directory traversal attack: Process URI requests that do not result in a file request, e.g. executing a hook into user code before continuing below. When a URI request for a file/directory is to be made, build a full path to the file/ directory if it exists and normalize all characters (e.g. %20 converted to spaces). It is assumed that a 'Document Root' fully qualified, normalized path is known and this string has a length N. Assume that no files outside this directory can be served. Ensure that the first N characters of the fully qualified path to the requested file are exactly the same as the 'Document Root'. If so, allow the file to be returned. If not, return an error, since the request is clearly out of bounds from what the Web server should be allowed to serve. 12.3 Learn regarding HTTP response splitting attack, and understand Web cache poisoning attack Exam Focus: Learn regarding HTTP response splitting attack, and understand Web cache poisoning attack. Objective includes: Learn regarding HTTP response splitting attack. Understand Web cache poisoning attack. HTTP response splitting HTTP response splitting is an attack that takes advantage of Web application vulnerability. In this attack, header response data is added into the input field to allow the server to split the response into two responses. An attacker transfers malicious data to a vulnerable application, and the application contains the data in an HTTP response header. The attacker can control the first response in order to redirect the user to a malicious Website, whereas the Web browser will discard the other responses. HTTP response splitting can be used to perform cross-site scripting attacks, cross-user defacement, Web cache poisoning, and similar exploits. The countermeasure against the HTTP response splitting attack is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie. Types of attacks mounted with HTTP response splitting
The following types of attacks can be mounted with HTTP response splitting: Cross-site scripting (XSS): Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications which enable malicious attackers to inject client-side script into Web pages viewed by other users. Web Cache Poisoning (defacement): In a Web Cache Poising attack, the attacker simply forces the target to cache the second response in response to the second request.
Cross User Defacement attacks (single user, single page, temporary defacement):
This attack is possible because of HTTP Response Splitting and flaws in the Web application. It is critical from the attacker's point of view that the application allows for filling the header field with more than one header using CR (Carriage Return) and LF (Line Feed) characters. Hijacking pages with user-specific information: In this attack, the attacker can receive the server response to a user request instead of the user. Therefore, the attacker can gain access to user specific information that may be sensitive and confidential. Browser cache poisoning: This type of attack is a serious security loophole that can hold potential headaches for mobile-computing users accessing public Wi-Fi networks. It is quite similar to XSS because in both attacks, the attacker needs to target individual clients. DNS cache poisoning attack DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. Defending against HTTP response splitting and Web cache poisoning The following actions should be taken to defend against HTTP response splitting and Web cache poisoning: The latest webserver should be used. OS and webserver should be regularly updated. The Web vulnerability scanner should be run. Sharing of incoming TCP connections among different clients should be avoided. Different TCP connections should be used with the proxy for different virtual hosts. "Maintain request host header" should be correctly implemented. Web application access to unique IPs should be restricted. Carriage return (%0d or\r) and line feed (%0a or \n) characters should be disallowed. Application developers should comply with RFC 2616 specification for HTTP/1.1.
12.4 Understand HTTP response hijacking, and discuss SSH bruteforce attack Exam Focus: Understand HTTP response hijacking, and discuss SSH bruteforce attack. Objective includes: Understand HTTP response hijacking. Discuss SSH bruteforce attack. HTTP response hijacking In HTTP response hijacking, a page (HTTP response) is hijacked with user sensitive information. This attack is similar to the cross user attack. In this attack, the motive of the attack is not to set the response received by the user to a spoofed page. Instead, the attack diverts a response that is generated by the server and intended for a client to the attacker. SSH bruteforce attack SSH protocols are required to create an encrypted SSH tunnel between two hosts to transfer unencrypted data over an insecure network. In order to gain unauthorized access to a SSH tunnel, attackers can bruteforce SSH login credentials. Malware can be transmitted without being detected using SSH tunnels. Other exploits can also be transmitted using SSH tunnels. Sshguard Sshguard is an SSH bruteforcing prevention tool that is used to monitor servers from their logging activity. It supports log message authentication, IPv6 addressing, multiple-source monitoring. It also handles host names or addresses in log files natively and supports per-service and per-address blocking actions. Countermeasures against the SSH brute force attack The following are countermeasures against the SSH brute force attack: Key-based authentication: A user has to enable key-based authentication and disable passwords. Move SSH port: Move the SSH daemon to another port. The SSH brute force attack is automated and hits only on port 22.
12.5 Examine man-in-the-middle attack, and learn webserver password cracking techniques Exam Focus: Examine man-in-the-middle attack, and learn webserver password cracking techniques. Objective includes: Examine man-in-the-middle attack. Learn webserver password cracking techniques. Man-in-the-middle attack The man-in-the-middle attack (often abbreviated MITM), bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. For example, SSL authenticates the server using a mutually trusted certification authority. WinSSLMiM WinSSLMiM is an HTTPS Man-in-the-Middle attacking tool. It includes FakeCert, a tool used to make fake certificates. It can be used to exploit the Certificate Chain vulnerability in Internet Explorer. The tool works under Windows 9x/2000. For example, Generate fake certificate: fc s www.we-are-secure.com -f fakeCert.crt Launch WinSSLMiM: wsm -f fakeCert.crt Countermeasures against the man-in-the-middle attack The countermeasures against the man-in-the-middle attack are as follows: Various defenses against MITM attacks use authentication techniques that are based on public key infrastructures, stronger mutual authentication, such as Secret keys (which are usually high information entropy secrets, and thus more secure), or Passwords (which are usually low information entropy secrets, and thus less secure). Latency examination, such as with long Cryptographic hash function calculations that lead into 10s of seconds; if both parties take 20 seconds normally, and the calculation takes 60 seconds to reach each party, this can indicate a third party. Second (secure) channel verification. One-time pads are immune to MITM attacks, assuming the security and trust of the one time pad. Carry-forward verification should be performed. The integrity of public keys must generally be assured in some manner, but need not be secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a Certificate Authority, whose public key is distributed through a secure channel (for example, with a Web browser or OS installation). Public keys can also be verified by a Web of trust that distributes public keys through a secure channel (for example by face-to-face meetings). Passwords
A password is a combination of characters, integers, and special symbols that allows a user to access a file or any program. A password prevents an unauthorized user from accessing a file or any application. The following are the different types of passwords: Power-on password: This password protects the system from being powered on by an unauthorized person. A prompt appears when the system starts up, when the Power-on password has been set; the Power-on password needs to be entered before an operating system boots. Hard drive password: A user's Hard drive password is for the user and a master Hard drive password is for the system administrator. If the user changes the Hard drive password, the administrator can use the master password to get access to the hard drive. Supervisor password (BIOS password): A Supervisor password is also known as a BIOS password. It protects the system information stored in the BIOS. A user is required to enter the Supervisor password to get access to the BIOS in order to change the system configuration. User password: It is required for most accounts. After entering the user name, the user is prompted for a password. Two passwords are required to be entered if the account requires both primary and secondary passwords. System password: This password controls access to the terminals and is required at the discretion of the security administrator; these passwords are often required to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines. Webserver password cracking techniques The following are webserver password cracking techniques: Guessing: It is a common password cracking method. In this method, humans guess passwords or use automated tools provided with dictionaries to guess passwords. Dictionary: It uses a dictionary of common words to find out the password of a user. Hybrid: It is like a dictionary attack. It adds numbers or symbols to the password. Brute force: It is most time-consuming, but a comprehensive method to crack a password. Until the password is broken, every combination of character is tried. Password crackers Password cracker is an application program that is used to identify an unknown or forgotten password to a computer or network resources. It can also be used to help a human cracker obtain unauthorized access to resources. Some password cracker programs search for hybrids of dictionary entries and numbers. A password cracker may also be able to identify encrypted passwords. Some popular password crackers are as follows: Cain & Abel John the Ripper THC Hydra Aircrack
L0phtCrack Airsnort SolarWinds Pwdump RainbowCrack Brutus Attackers mainly target Web from authentication cracking, SSH tunnels, FTP servers, SMTP servers, and Web shares. The following are the most common passwords: password root administrator admin demo test guest qwerty pet names Attackers use the following methods for password cracking: Social engineering Spoofing Phishing Using a Trojan horse or virus Wiretapping Keystroke logging THC Hydra THC Hydra is a fast network authentication cracker that supports many different services. Hydra was a software project developed by a German organization called The Hacker's Choice (THC). THC Hydra uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords. The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA. Brutus Brutus is a password cracking tool that performs both dictionary and brute force attacks in which passwords are randomly generated from given characters. Brute forcing can be performed on the following authentications: HTTP (Basic Authentication) HTTP (HTML Form/CGI)
POP3 (Post Office Protocol v3) FTP (File Transfer Protocol) SMB (Server Message Block) Telnet Windows Password Unlocker Windows Password Unlocker is a Windows password recovery tool with an intuitive Windows graphical user interface. It does not have the DOS-like black screen. This makes much easier to reset Windows login passwords rapidly. This is useful in case the administrator's password is forgotten or lost. PasswordsPro PasswordsPro is a password recovery tool that uses hashes of Blowfish(OpenBSD), DES(Unix), DES(Oracle), MySQL, MySQL5, MD2, MD4, MD5, MD5(Unix), MD5(APR), MD5(phpBB3), MD5(Wordpress), MSSQL(2000), MSSQL(2005), NTLM, HAS-160, SHA-1, SSHA- 1, SHA-2, SHA-384, SHA-512, SHA-256(Unix), SHA-512(Unix), Domain Cached Credentials, Haval 128/160/192/224/256, RipeMD-128/160/256/320, Tiger-128/160/192, GOST R 34.11-94, Skein 256/512/1024, Snefru-128/256, Whirlpool, and many other algorithms. IKECrack IKECrack is an IKE/IPSec authentication crack tool that uses brute force for searching password and key combinations of Pre-Shared-Key authentication networks. The IKECrack tool undermines the latest Wi-Fi security protocol with repetitive attempts at authentication with random passphrases or keys. Ophcrack Ophcrack is a free open source (GPL-licensed) program that cracks Windows passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. On most computers, ophcrack can crack most passwords within a few minutes. AutoComplete AutoComplete is a feature of a browser in which the user is provided with the options he has previously used. The AutoComplete feature gives suggestions for possible matches as a user types in. This feature can be enabled or disabled only by the user. It cannot be enabled or disabled by the author of the website. The options suggested by the AutoComplete feature can either be used or ignored by the user. AutoFill The AutoFill feature of a browser automatically fills the text in the text box as the user types. It does not suggest any options as done by the AutoComplete feature. The AutoFill feature can be set by the user of the browser and not by the author of the website. Webserver hacking techniques The most commonly used webserver hacking techniques are as follows:
Password cracking techniques: An attacker can use any brute forcing or rainbow tables to crack an administrator account password. Man-in-the-middle attack: An attacker can also use the man-in-the-middle attack/ARP poisoning attack to steal credentials of an administrator account. Keyloggers and Trojans: An attacker can install a Trojan or a keylogger on an administrator's computer to capture the credentials. DNS cache poisoning attack: An attacker can insert fake address records for a domain name into a DNS server and make the Web server accept fake address records. 12.6 Understand webserver attack methodology Exam Focus: Understand webserver attack methodology. Objective includes: Identify Web application attacks. Understand webserver attack methodology. Web application attacks A broad attack path for webserver compromise is provided by vulnerabilities in Web applications that run on a webserver. The following are Web application attacks: Unvalidated input Parameter/Form tampering Directory transversal SQL injection attack Command injection attack File injection attack Cross-site scripting attack Denial of Service attack Buffer overflow attack Webserver attack methodologies There are following Webserver attack methodologies to attack on a Web server and compromise its security: Information gathering: In this step, an attacker gathers information about the targeted company using Internet, newsgroups, bulletin boards, etc. The attacker can use tools such as Whois, traceroute, active whois, etc. and get the details such as a domain name, an IP address, or an autonomous system number by querying the Whois database. Webserver footprinting: In this step, an attacker can use footprinting techniques to collect valuable system-level information, which are as follows: o Account details o o o Operating system and other software versions Server names Database schema details
Footprinting can be performed by using tools such as ID Server, httprecon, and Netcraft, etc. Mirroring a Website: In this step, a complete profile of the site's directory structure, file structure, external link, etc. are created by mirroring a Website. Comments and other items in the HTML source code should be searched in order to make footprinting techniques more efficient. An attacker can use tools such as HTTrack, Web Copier, and BlackWidow, etc. to mirror a Website. Vulnerability scanning: Vulnerability scanning is required in order recognize weaknesses in a network and find if a system can be exploited. To perform vulnerability scanning, an attacker can use HP WebInspect, Nessus, Paros, etc. vulnerability scanners. To find out active systems, network services, applications, and vulnerabilities present, sniff the network. The Web server infrastructure should be tested for any misconfiguration, outdated content, and known vulnerabilities. Session hijacking: In order to gain unauthorized access to the webserver and snoop the data, sniff valid session IDs. Session hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. should be used to capture valid session cookies and IDs. To perform session hijacking, an attacker can use Burp Suite, Hamster, Firesheep, etc. session hijacking tools. Hacking webserver passwords: Password cracking techniques should be used to crack webserver passwords. For hacking Web server passwords, an attacker can use Brutus, THC-Hydra, etc. 12.7 Identify webserver attack tools, and identify countermeasures against webserver attacks Exam Focus: Identify webserver attack tools, and identify countermeasures against webserver attacks. Objective includes: Identify webserver attack tools. Identify countermeasures against webserver attacks. Webserver attack tools The following are webserver attack tools: UrlScan Nikto Nessus WWWhack Acunetix HP WebInspect Metasploit framework The Metasploit framework is a penetration testing toolkit. It exploits development platform, and research tool including hundreds of working remote exploits for a variety of platform. Metasploit
can be used to test the vulnerability of computer systems in order to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. The basic steps for exploiting a system using the framework include: 1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for Windows, Unix/Linux and Mac OS X systems are included). 2. Checking whether the intended target system is susceptible to the chosen exploit. 3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry, for instance a remote shell or a VNC server). 4. Choosing the encoding technique to encode the payload so that the Intrusion-prevention system will not catch the encoded payload. 5. Executing the exploit. This modularity of combining any exploit with any payload is the major advantage of the framework. It facilitates the tasks of attackers, exploit writers, and payload writers. Metasploit architecture The following is the metasploit architecture: Metasploit exploit module The metasploit exploit module is used to encapsulate an exploit. Users can use this module to target many platforms with a single exploit. Users can modify exploit behavior dynamically, brute force attacks, and attempt passive attacks by using the Mixins feature. The metasploit exploit module includes the following steps:
Configure active exploit. Verify the exploit options. Select a target. Select the payload. Launch the exploit. Metasploit payload module The metasploit payload module sets up a communication channel between the metasploit framework and the victim host. It combines the arbitrary code executed as the result of an exploit. A payload should be selected first using the following command to generate payload: >_ Metasploit auxiliary module The metasploit auxiliary module can be used to carry out arbitrary, one-off action such as the following: Port scanning Denial of Service Fuzzing The run command or exploit command should be used to run the auxiliary module. Metasploit NOPS module The metasploit NOPS module is used to generate no-operation instructions. No-operation instructions are used to block out buffers. The generate command should be used to generate a NOP sled of an arbitrary size and display it. Wfetch Wfetch is used to fully customize and send an HTTP request to a webserver in order to see the raw HTTP request and response data. It permits attackers to test the performance of Websites that include new elements such as Active Server Pages (ASP) wireless protocols. ServerMask ServerMask is a tool that is used to hide information about IIS Webservers. Since IIS Webservers are vulnerable to various attacks, such as code red worm, IIS unicode exploit, etc., to mitigate such attacks, ServerMask removes all unnecessary HTTP headers & response data, and file extensions like .asp or .aspx, which are clear indicators that a site is running on a Microsoft server. Besides this, ServerMask modifies the ASP session ID cookies values, default messages, pages, and scripts of all kinds to misguide an attacker. Improving Web server security A Web server administrator can do the following things to improve the security of a Web server: Renaming the administrator account and using a strong password: In the first step, the administrator should rename the administrator account. To rename the administrator
account in Windows, open User Manager, right-click the administrator account, and select Rename. In the second step, the administrator should use a strong password. Disabling default Websites and FTP sites: To disable default Websites, right-click the default Website in IIS Manager and choose the Stop option. The same process also works for the default FTP site. Removing unnecessary applications from the server: The administrator should remove unnecessary applications from the server such as WebDAV. These unnecessary applications can be removed from Add/Remove Programs in Windows Control Panel. Disabling remote administration: The administrator should use a script to map unused file extensions to a 404 ("File not found") error message. Enabling logging and auditing: The administrator should use a firewall between the Web server and the Internet and allow only necessary ports such as 80 and 443 through the firewall. krbpwguess krbpwguess is a Kerberos password guessing tool. It is built against the Heimdal kerberos libraries and has been tested and known to work on Snow Leopard and Ubuntu Linux. Defending against Webserver attacks The following actions should be taken to defend against webserver attacks: URL mappings to internal servers should be cautiously created. A database server, such as Microsoft SQL Server should be installed on a separated server if it is to be used as a backend database. A dedicated machine is not required to be used as a Web server. The IIS server is not required to be installed on a domain controller. Server side session ID tracking should be used and connections should be matched with time stamps, IP addresses, etc. Scanning tools provided with Web server software and scanners that automate and make the process of securing a webserver easy should be used. The incoming traffic request should be screened and filtered. The webserver machine in a secure machine room should not be physically protected. A separate anonymous user account should be configured for each application if you host multiple Web applications. IIS server should not be connected to the Internet until it is fully hardened. You should not allow anyone to locally log on to the machine except for the administrator. The server functionality should be limited to support the Web technologies that are going to be used. The ports on server should be audited regularly to ensure that an insecure or unnecessary service is not active on the webserver. Inbound traffic should be limited to port 80 for HTTP and port 443 for HTTPS (SSL). Intranet traffic should be encrypted or restricted. It should be ensured that certificate data ranges are valid and the certificates are used for their intended aim.
It should be ensured that the certificate has been revoked and certificate's public key is valid to a trusted root authority. It should be ensured that unused HttpModules are removed and protected resources are mapped to HttpForbiddenHandler. It should be ensured that tracing is disabled and debug compiles are turned off. Secure coding practices should be implemented to avoid source code disclosure and input validation attack. Code access security policy settings should be restricted to ensure that code downloaded from the Internet or Intranet have no permissions to execute. The IISLockdown tool should be used. It reduces the vulnerability of a Windows 2000 webserver. It permits a user to pick a specific type of server role, and then improve security for that server by using custom templates. The services running with least-privileged accounts should be disabled. The Telnet service should be disabled. All unnecessary services should be switched off and disabled so that when the server is rebooted next time, they are not started automatically. This also enhances server performance by freeing some hardware resources. Restricted ACLs should be applied and remote registry administration should be blocked. The SAM (Stand-alone Servers Only) should be secured. All unnecessary file shares including the default administration shares should be removed if they are not needed. The shares with restricted NTFS permissions should be secured. It should be ensured that security related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions. Banner information returned by IIS should be restricted. A minimum level of auditing should be enabled on your webserver and NTFS permissions should be used to protect the log files. All unnecessary IIS script mappings for optional file extensions should be removed to avoid exploitation of any bugs in the ISAPI extensions that manage these types of files. Sites and virtual directories should be relocated to non-system partitions and IIS Web permissions should be used to restrict access. Unnecessary ISAPI filters should be removed from the webserver. Prevent Web servers from attacks A network administrator can secure the following entities to prevent Web servers from attacks: Ports: The Web server administrator should audit ports on the server regularly. He should limit inbound traffic to port 443 and 80. He should also encrypt or restrict intranet traffic. Server certificates: The administrator should ensure that certificate data ranges are valid. Machine-conf: The administrator should ensure that protected resources are mapped and useless resources are removed. He should also ensure that tracing is disabled and debug compiles are turned off. Code access security: The administrator should implement secure coding practices. He should also restrict code access security policy settings for ensuring that the downloaded code has no permissions for executing and configuring IIS to prevent path traversal.
Registry: The administrator should block remote registry administration and apply restricted ACL. Shares: The administrator should remove all unused file shares. He can secure the shares with restricted NTFS permissions. Auditing and logging: The administrator should enable a minimum level of auditing and he should start using NTFS permissions for protecting the log files. Script mappings: The administrator should remove all unused script mappings to avoid bugs in the ISAPI extensions. Sites and virtual directories: The administrator should relocate sites and virtual directories to non-system partitions. ISAPI filters: The administrator should remove unused ISAPI filters. URP mappings: The administrator should create URL mappings to internal servers cautiously. Domain controller: The administrator should ensure that a domain controller is not installed on the Web server. Session ID tracking: The administrator should use server-side session ID tracking and match a connection with timestamps, IP, etc. SQL Server: The administrator should install SQL Server on a separate server. Countermeasures against patches and updates The following countermeasures are taken against patches and updates: Existing vulnerabilities and patch should be scanned, and the server software should be updated regularly. All relevant documentation should be read and peer reviewed before applying any service pack, hotfix, or security patch. All updates, regardless of their types should be applied on an as-needed basis. The service packs and hotfixes should be tested on a representative non-production environment prior to being developed to production. It should be ensured that service packs, hotfixes, and security patch levels are consistent on all domain controllers. It should be ensured that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available. A back-out plan should be used. It allows the system and enterprise to return to their original state, before the failed implementation. Periodic service pack upgrades should be scheduled as part of operations maintenance and more than two service packs should never be used. Countermeasures against protocols The following countermeasures are taken against protocols: All unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB should be blocked.
The TCP/IP stack should be hardened, and the latest software patches and updates to system software should be consistently applied. Appropriate measures should be taken to provide secure authentication and communication if unsecure protocols such as Telnet, POP3, SMTP, and FTP are used. Tunneling and encryption protocols should be used to secure the remote connection properly if remote access is required. WebDAV should be disabled if it is not used by the application or kept secure if it is needed. Countermeasures against files and directories The following countermeasures are taken against files and directories: Unnecessary files within the .jar files should be eliminated. Serving of directory listings should be disabled. Sensitive information within the byte code should be eliminated. The presence of non-web files such as archive files, backup files, text files, and header/include files should be eliminated. Mapping of virtual directories between two different servers or over a network should be avoided. A resource mapping should be created to disable serving certain file types. All network service logs, Website access logs, database server logs, and operating system logs should be monitored and checked frequently. 12.8 Understand patch management, assess webserver security tools Exam Focus: Understand patch management, and assess webserver security tools. Objective includes: Understand patch management. Assess webserver security tools. Understand webserver pen testing. Patch management Patch management is an area of systems management. It involves acquiring, testing, and installing multiple patches (code changes to system software) to an administered computer system. Patch management includes the following tasks: Maintain current knowledge of available patches. Decide what patches are appropriate for particular systems. Ensure that patches are installed properly. Test systems after installation and documenting all associated procedures, such as specific configurations required.
There are a number of products that can be used to automate patch management tasks, including RingMaster's Automated Patch Management, PatchLink Update, and Gibraltar's Everguard. Automated patch management process The automated patch management includes the following steps: 1. Detect: Tools are used to detect missing security patches. 2. Access: Mitigate the factors that may influence the decision to access the issues and its associated severity. 3. Acquire: The patch is downloaded for testing. 4. Test: The patch is first installed on a testing machine in order to verify the consequences of the update. 5. Deploy: The patch is deployed on the computer, and it is ensured that the applications are not affected. 6. Maintain: A user should subscribe in order to get notifications regarding vulnerabilities as they are reported. Patch management tools The following are patch management tools: Altiris Client Management Suite Novell ZENworks Patch ProManage Remote Infrastructure Monitoring Security Manager Plus GFI LANguard Prism Patch Manager Kaseya Security Patch Management MaaS360's Patch Management The following are some important patch management tools: Altiris Client Management Suite: It automates time-consuming and redundant tasks in order to minimize efforts and costs associated with deploying, patching, and supporting client systems and software. GFI LANguard: It provides patch management, vulnerability assessment, and network audit. It is used for the following purposes: o It secures the network comprehensively. o It supports in proving compliance with security standards, such as PCI DSS. o It increases productivity for IT staff and end users. Prism Patch Manager: It has the following features and benefits: o Automatic notification: It generates alerts of user's patch deficiencies, including subscription and remediation failures and license expirations. o Intelligent patch wizard: It provides quick and easy installation of patches from one of the world's largest patch repositories.
o Simplified process: It streamlines entire software patch process from initially detecting the new patches to deploying and installing tested patches. MaaS360's Patch Management: It is used to ensure that devices have the latest security patches and updates, in spite of whether they are on the corporate LAN or just connected to the Internet. Kaseya Security Patch Management: It automatically keeps computers up-to-data. For this, it uses the latest patches and updates. Patch installation Security patches can be accessed and installed through the World Wide Web (WWW). The following ways can be used to install patches: Manual installation: In this method, a user downloads the patch from the vendor's site and fixes it. Automatic installation: In this method, applications use the Auto Update feature for updating themselves. Identify appropriate sources for updates and patches The following actions should be taken to identify appropriate sources for updates and patches: Make a patch management plan that fits the operational environment and business objectives. Determine appropriate updates and patches on the home sites of the applications or operating system's vendors. Registering to the home sites to receive alerts is the recommended way of tracking issues relevant to proactive patching. Implementation and verification of a security patch or upgrade The source should be verified before installing any patch. Proper patch management program should be used to validate file versions and checksums before security patches are deployed. The patched systems should be monitored by the patch management tool. The patch management team should regularly check for updates and patches. Hotfix A hotfix provides a single, cumulative package that includes single or multiple files that are used to address a problem in a product. A hotfix addresses a specific customer situation and may not be distributed outside the customer's organization. Microsoft Customer Service and Support distributes hotfixes. Customers may not redistribute hotfixes without legal, written consent from Microsoft. Hotfixes are not always fully regression tested, meaning that one should only be applied if a user is experiencing a problem for which a hotfix is the recommended path. Web server security tools The following tools are used for Web server security:
Retina: Retina Web security scanner is the best-in-class Web scanning solution. It rapidly and accurately scans large, complex Websites, and Web applications in order to tackle Web-based vulnerabilities. NScan: NScan is one of the fastest and flexible port scanners for Windows. It is designed to scan large networks and gather related network/host information. NetIQ Secure Configuration Manager: NetIQ Secure Configuration Manager is used to enable a user to easily detect mis-configured systems that can result in expensive breaches or failures. It is required to meet compliance goals. NetIQ Secure Configuration Manager enables the user for the following: o Assessing configurations against compliance mandates, such as PCI DSS, o HIPAA, SOX, NERC,FDCC, and more Reporting on systems out of configuration and easily managing exceptions to compliance o Applying industry best practices on users' systems to ensure good security o Identifying and reporting users' entitlements to systems SAINT: SAINT (System Administrator's Integrated Network Tool) is computer software used for scanning computer networks for security vulnerabilities and exploiting found vulnerabilities. The SAINT scanner screens every live system on a network for TCP and UDP services. For each running service that it finds, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the network. N-Stealth Security Scanner: N-Stealth is a Web server security-auditing tool that is used to scan over 30,000 vulnerabilities. Infiltrator Network Security Scanner: It can quickly audit network computers for vulnerabilities, exploits, and information enumerations. Microsoft Baseline Security Analyzer (MBSA) Microsoft Baseline Security Analyzer (MBSA) is a security feature found in Windows XP that protects a computer from security lapses. It scans computers to analyze their security and prepares a report for each computer that it scans. The report prepared by MBSA is used to determine the steps required to secure a computer or computers on a network. MBSA does not come with the base operating system. A user needs to download it first. It can be run on computers running Windows 2000, Windows XP, or Windows Server 2003. MBSA can be used to check the following: Windows vulnerabilities Weak passwords IIS vulnerabilities SQL vulnerabilities Security updates Webserver pen testing Webserver pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a
webserver. A series of methodical and repeatable tests are conducted to perform penetration testing. During penetration testing, a user should work through all different application vulnerabilities. Webserver pen testing is required due to the following reasons: Identification of Web infrastructure: It is required to identify the make, version, and update levels of webservers. This supports in selecting exploits to test for associated published Websites. Verification of vulnerabilities: It is required to exploit the vulnerability to test and fix the issue. Remediation of vulnerabilities: It is needed to retest the solution against vulnerability. This ensures that the solution is completely secure. Sandcat Sandcat is a multi-process Web application security scanner. It maps the entire Website structure and simulates a wide range of attacks / sends thousands of requests to find custom, unique vulnerabilities. Sandcat tests for SQL injection, XSS, file inclusion, and many other Web application vulnerability classes. The process of reviewing the Web application's code is automated by sandcat's code scanning functionality. Core Impact Core Impact is software used to access the real-world security: Web applications Network systems Endpoint systems and email users Wireless networks Network devices CANVAS CANVAS is an automated exploitation system. It is considered as a comprehensive, reliable exploit development framework for security professionals and penetration testers. It supports all the new modern hardware that runs on your selected operating system. Webserver penetration testing The following actions should be taken during webserver penetration testing: 1. Gather as much information as possible regarding any organization ranging from its physical location to operating environment. 2. Collect information such as human resources, contact details, etc. by using social engineering techniques. This may help in webserver authentication testing. 3. Obtain details about the target such as domain name, IP address, administrative contacts, Autonomous System Number, DNS, etc. by using Whois database query tools.
4. Use tools such as ID Serve, httprecon, and Netcraft to fingerprint Web server in order to gather information such as server name, server type, operating systems, applications running, etc. 5. Crawl Websites in order to gather specific types of information from Web pages. 6. Enumerate webserver directories in order to extract essential information such as Web functionalities, login forms, etc. 7. Access restricted directories and execute commands outside of the web server's root directory by performing the directory traversal attack. 8. Use tools such as WebInspect, Nessus, and Paros proxy to identify weaknesses in a network by performing vulnerability scanning and determine if the system can be exploited. 9. Perform the HTTP response splitting attack in order to pass malicious data to a vulnerable application that contains the data in an HTTP response header. 10. Capture valid session cookies and IDs by performing session hijacking. 11. Perform the MITM attack to access sensitive information by intercepting and altering communications between an end-user and webservers. 12. Examine webserver logs by using tools such as Webalizer, Ktmatu Relax, etc. 13. Exploit frameworks by using tools such as Acunetix Metasploit, w3af, etc. Chapter Summary In this chapter, we learned about Webserver attacks, open source webserver architecture, IIS webserver architecture, Website defacement, and impact of webserver attacks. This chapter focused on webserver misconfiguration, directory traversal attacks, HTTP response splitting attack, Web cache poisoning attack, HTTP response hijacking, SSH bruteforce attack, man-in the-middle attack, and webserver password cracking techniques. This chapter also covered Web application attacks, webserver attack tools, countermeasures against webserver attacks, and patch management. Glossary Brutus Brutus is a password cracking tool that performs both dictionary and brute force attacks in which passwords are randomly generated from given characters. Denial of Service attack A Denial of Service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Directory traversal A directory traversal consists of exploiting insufficient security validation/sanitization of user supplied input file names, so that characters representing traverse to parent directory are passed through to the file APIs. DNS cache poisoning
DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Hotfix A hotfix provides a single, cumulative package that includes single or multiple files that are used to address a problem in a product. Metasploit framework Metasploit framework is a tool for developing and executing exploit code against a remote target machine. Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) is a security feature found in Windows XP that protects a computer from security lapses. Password A password is a combination of characters, integers, and special symbols that allows a user to access a file or any program. Password cracker Password cracker is an application program that is used to identify an unknown or forgotten password to a computer or network resources. Patch management Patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes to system software) to an administered computer system. RID Detects the presence of Trinoo, TFN ServerMask ServerMask is a tool that is used to hide information about IIS Webservers. Since IIS Webservers are vulnerable to various attacks, such as, code red worm, IIS unicode exploit, etc., to mitigate such attacks, ServerMask removes all unnecessary HTTP headers & response data, and file extensions like .asp or .aspx, which are clear indicators that a site is running on a Microsoft server. Sshguard Sshguard is an SSH bruteforcing prevention tool that is used to monitor servers from their logging activity. Web defacement Website defacement is an attack on a Website that changes the visual appearance of the site or a webpage.
Webserver misconfiguration Webserver misconfiguration denotes the configuration weakness in Web infrastructure.