Scribd Logo
Upload

Welcome to Scribd!

  • 368 views

    CEH Lesson 5 - Web Server Hacking

    Uploaded by

    Louise Real
    This document discusses hacking web servers and applications, including how to scan servers to identify vulnerabilities, exploit weaknesses like SQL injection, and crack passwords. It covers the components of web infrastructure, tools for scanning servers and enumerating services, common attacks like XSS and CSRF, and how to identify and exploit vulnerabilities in databases. The objectives are to understand how to hack web servers, applications, and databases by scanning for issues, attacking authentication, and exploiting SQL vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    CEH Lesson 5 - Web Server Hacking

    Uploaded by

    Louise Real
    368 views25 pages
    This document discusses hacking web servers and applications, including how to scan servers to identify vulnerabilities, exploit weaknesses like SQL injection, and crack passwords. It covers the components of web infrastructure, tools for scanning servers and enumerating services, common attacks like XSS and CSRF, and how to identify and exploit vulnerabilities in databases. The objectives are to understand how to hack web servers, applications, and databases by scanning for issues, attacking authentication, and exploiting SQL vulnerabilities.

    Original Description:

    Web Server Hacking

    Original Title

    CEH Lesson 5_Web Server Hacking

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses hacking web servers and applications, including how to scan servers to identify vulnerabilities, exploit weaknesses like SQL injection, and crack passwords. It covers the components of web infrastructure, tools for scanning servers and enumerating services, common attacks like XSS and CSRF, and how to identify and exploit vulnerabilities in databases. The objectives are to understand how to hack web servers, applications, and databases by scanning for issues, attacking authentication, and exploiting SQL vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    368 views25 pages

    CEH Lesson 5 - Web Server Hacking

    Uploaded by

    Louise Real
    This document discusses hacking web servers and applications, including how to scan servers to identify vulnerabilities, exploit weaknesses like SQL injection, and crack passwords. It covers the components of web infrastructure, tools for scanning servers and enumerating services, common attacks like XSS and CSRF, and how to identify and exploit vulnerabilities in databases. The objectives are to understand how to hack web servers, applications, and databases by scanning for issues, attacking authentication, and exploiting SQL vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    of 25

    Certified Ethical Hacker

    Lesson 5
    Web Server Hacking, Web
    Applications, and Database
    Attacks
    Lesson 6
    Objectives

    After reading this lesson you will be able to:


     Identify the components of a web infrastructure
     Explain how to scan web servers
     Know how to identify web server vulnerabilities
     Explain how web application hacking works
     Describe web-based authentication
     Describe web-based password cracking
    techniques
     Be familiar with SQL vulnerabilities
    Web Server Hacking
    Web Server Hacking cont.

     HTML and HTTP are the standards that originally


    defined web architecture.
     HTTP has four stages.
     Web attacks focus on
    – Scanning
    – Banner grabbing
    – Attacking the web server
    – Surveying the application
    – Attacking authentication
    – Exploiting the database
    Scanning Web Server

     Common ports:
    – 80 – HTTP
    – 88 – Kerberos
    – 8080 – Squid
    – 8888 – Alternative web server
     Scanning tools:
    – ID Serve
    – ScanLine
    – Super Scan
    – Nmap
    Using Nmap Scripts
     The -sC option enables the most common scripts, while running the –script option
    enables you to specify the script. The –script option also takes comma-separated
    values as arguments. The arguments specify which scripts will be executed upon
    starting Nmap . Several examples are show here:
    – nmap sV -O -p IP_address
    – nmap -sV --script=http-enum IP_address
    – nmap IP_address -p 80 --script = http-frontpage-login
    – nmap --script http-passwd -- script-args http-passwd.root =/ IP_address
    Banner Grabbing and
    Enumeration
     Attacker tried to get additional information about the servers and
    components.
     Popular web servers:
    – IIS web server
    – Apache web server
    – Sun ONE web server
     Tools for enumeration and banner grabbing:
    – Netcraft
    – Telnet
    – Netcat
    – Wikto
    – Black Widow
    – Teleport Pro
    – Wget
    Web Server Vulnerability
    Identification
     Perform this step after the vendor and version of the
    web server is identified.
     Check sites that list known vulnerabilities:
    – www.securityfocus.com
    – www.packetstormsecurity.org
    – http://nvd.nist.gov
    – http://exploitdg.com
    Attacks Against Web Servers
     IIS Vulnerabilities:
    – Buffer overflow attacks:
    • ISAPI DLL Buffer overflow attack:
    – Discovered June 2001
    – Affects Windows NT and 2000
    – Targets idq.dll – runs as system and the attacker can escalate and add himself to the
    Administrator group
    • IPP Printer Overflow attack:
    – Discovered 2001
    – Affects Windows 2000 running IIS 5.0
    • Metaspoil can be used to launch buffer overflow attacks
    – Source disclosure attacks:
    • Can be used to uncover passwords, web design, or business logic
    • +.htr exploit
    – File system traversal attacks:
    • Unicode input validation attack
    – DNS amplification attack
    • Reflect large amounts of DNS traffic
    DNS Amplification
    Securing IIS

     Harden before deploying.


     Patch management:
    – Use automated patch management tools:
    • Windows Server Update Services
    • Microsoft HotFix Checker
    • GFI LANguard
     Disable unneeded services:
    – Microsoft Baseline Security Analyzer
    – IIS Lockdown
    – SOAPUI
    – Retina
     Lock down the file system:
    – Use NTFS and enable file level security and encryption.
     Enable logging and auditing.
    Web Application Attacks

     Invalidated input
    – Input from client is not validated before processing.
     Parameter/form tampering
    – Manipulation of the parameters passed between client and web
    application
     Injection flaws
    – Allows for untrusted data to be executed as valid
    – SQL injection
    – Command injection
    – File injection
    – LPAD injection
    – XML injection
    Web Application Attacks cont.

     Cross site scripting (XSS) and cross site request


    forgery attack
    – Gained popularity in recent years
    – Depend on input that is not properly sanitized
     Cross site request forgery (CSRF)
     Hidden fields attack
    – The attacker can modify hidden fields following
    these three steps:
    • Save page locally and open source code.
    • Modify the amount and save the page.
    • Refresh the local HTML page and click Add to Cart.
    Cross-site Request Forgery
    Input Validation
     Other security issues directly related to a lack of input validation include
    – DoS: Any technique used to target availability in any way. For example, the
    attacker might create a program to submit registration forms repeatedly until
    all resources are exhausted.
    – Session fixation: The attacker tricks the user into accessing a web server
    using an explicated session ID value. This can be accomplished via a
    clientside script, HTTP header response, or <META> tag.
    • An example of the URL sent to the victim would appear as follows; notice
    how the sessionid is passed: http://knowthetrade.com/<meta http-
    equiv=Set-Cookie content="sessionid=abc123">
    – Direct OS commands: The unauthorized execution of OS commands.
    – SOAP injection: The attacker injects malicious query strings in user input
    fields to bypass web services authentication.
    Web-Based Authentication

     Four common types of authentication:


    – Basic:
    • Uses exclusive ORing (XOR)
    • Weak form of encryption that can be compromised easily
    – Message digest:
    • Uses MD5 algorithm
    – Certificate-based:
    • Uses public key cryptography
    – Forms-based:
    • Uses cookies
    Web-Based Password Cracking

     Three basic types of password attacks:


    – Dictionary:
    • Uses a dictionary list to crack the password
    • Fast but successful only if a dictionary word were used as the password
    – Hybrid:
    • Uses a dictionary file but adds numbers or symbols to the dictionary words
    – Brute force:
    • Tries to crack the password by using every possible combination of
    characters specified by the user
    • Time-consuming
     Password cracking tools:
    – WebCracker
    – Brutus
    – THC Hydra
    Cookies

     Store information about user preference, usernames


    and passwords, cart content, and so on.
     Tools to view cookies:
    – CookieSpy
    – Cookie Digger
    URL Obfuscation

     Hiding addresses in URLs to bypass filters or other


    defenses that block specific IP addresses
     Encodes the data so it cannot be easily viewed
     Common encoding schemes
    – Hex
    – HTML
    – Base64
    – Unicode
    Intercepting Web Traffic

     Web Proxies:
    – Allow attackers to attack and debug web
    applications.
    – Act as man-in–the–middle.
    – Burp Proxy.
    – Paros Proxy.
    – OWASP ZAP.
    OWASP ZAP
    Database Overview

     Database types:
    – Hierarchical database management systems
    – Network database management systems
    – Relational database management systems
    – Object-oriented database management systems
    Identifying SQL Servers

     Popular databases and ports:


    – Oracle Net Listener – port 1579
    – Microsoft SQL – port 1433
    – MySQL – port 3306
     SQL injection:
    – The attacker takes advantage of insecure code and
    sends his SQL statements to the database.
    – One of the most common attacks.
    SQL Injection Vulnerabilities and
    Hacking Tools
     Simple SQL injection
    – Nonvalidated input
    – Poor coding practices
     UNION SQL injection
    – Uses the UNION command
     Error-based SQL injection
    – Uses poorly constructed SQL statement to get error messages and table
    names
     Blind SQL injection
    – Unpatched systems
     Tools:
    – SQLDict
    – SQLExec
    – SQLbf
    – BSQL Hacker
    – SQL2.exe
    Lesson 5
    Summary
     Explain web architecture.
     Know the tools used to scan web servers.
     Explain how to perform banner grabbing and
    enumeration.
     Identify web servers vulnerabilities.
     Describe attacks against web servers.
     Describe common authentication types.
     Describe databases and SQL injection attacks.

    You might also like