Group Number: ______

Member Names: _______________ _______________

ECE 4893: Internetwork Security

Lab 12: Web Security

Date: April 6, 2004

Date Due: April 13, 2004
Last Revised: April 2, 2004

Written by: Tom Bean and Valerio Oricchio

Goal: The goal of this lab is to setup an Apache Web server with third-party modules,
and exploit some vulnerabilities using various tools.

This lab’s focus will in be web server hacking. Web server hacking refers to attackers
taking advantage of vulnerabilities inherent to the web server software itself (or one of its
add-on components). These vulnerabilities are typically publicized and are easy to detect
and attack. An attacker with the right set of tools and ready-made exploits can bring
down a vulnerable web server in minutes. For this reason, it is crucial for web
administrators to always patch their web server and related software.

Copy the files from the Lab12 Folder on the NAS to the various machines

On the Redhat 8.0 host machine:

# mkdir /root/lab12
# cp -rf /mnt/nas4893/Lab12/RH8.0/* /root/lab12

On the Windows XP virtual machine:

Create a folder called “lab12” on the desktop.
Copy the contents of the Windows directory of Lab12 on the NAS, to this folder.

For this lab we will be accessing an Apache web server on the Mininet. The address is
138.210.238.42 and the domain name is www.cc.gatech.edu.

Exercise 1: Web Security Utilities

Some of the following utilities will need SSL support so first and foremost, install
OpenSSL on the Redhat 8.0 host:

# cd /root/lab12
# tar xvfz openssl-0.9.6j.tar.gz

1
# cd openssl-0.9.6j
# ./config -shared --prefix=/usr/local/ssl -fPIC
# make
# make test
# make install

Now the utilities we install can use the SSL libraries.

WGET

When targeting a web server, a serious hacker would study its content thoroughly. This
might involve downloading its entire content for offline examining at his leisure. Doing
this manually would be very tedious and tiresome, so luckily there are some useful tools
readily available that would automate this process.

WGET is a free software package for retrieving files using HTTP, HTTPS, and FTP. It
can be downloaded from http://www.gnu.org/software/wget/wget.html.

To install wget: On the Redhat 8.0 physical machine, change to the utilities folder:

# cd /root/lab12/utilities

Now build wget:

# tar xvfz wget-1.9.1.tar.gz
# cd wget-1.9.1
# ./configure –prefix=/usr/local/wget --with-ssl
# make
# make install

To use wget to download a complete website, do the following:

# mkdir /root/lab12/downloaded
# wget -P /root/lab12/downloaded -m http://138.210.238.42

This transfers data to the folder /root/lab12/downloaded.

Q1.1 What data is transferred to this folder?

Q1.2 Why would this information be useful to attackers?

2
httpdtype and user discovery

Apache web servers, by default, are setup in a way that makes it easy for attackers to
determine the type of web server is running, what additional modules are built into
Apache, and what user accounts are present on the server.

The first simple utility we will look at is a program called “httpdtype”. It is available
from http://packetstormsecurity.nl in a package named “apscan2.tgz”. The other utilities
in this package are not useful for our purposes and will not be discussed.

On your Redhat 8.0 physical machine:

# cd /root/lab12/utilities
# tar xvfz apscan2.tgz

The other utilities are extracted as well but can be ignored.

Now, type:
# ./httpdtype 138.210.238.42

Q1.3 What is the output?

Another useful utility takes advantage of a bug in the Apache software, when run on a
Redhat machine, that makes user discovery quite easy.

If you try to access an existing users folder on an Apache server using a “~”, the server
will respond with a 403 error message, indicating “Forbidden”, since that particular user
has not set the appropriate permissions for their folder.

If you were to try to access a non-existent user in the same manor, the server would
respond with a 404 message indicating “Not Found”. Since that user doesn't exist.

Open up a web browser on your Redhat 8.0 physical machine, and type the following
URL “http://138.210.238.42/~root” and observe the results.

Now try “http://138.210.238.42/~rooty” [this lab assumes there is not a user called
“rooty”]
Observe these results.

As can be seen, this is a very easy method to determine what user accounts are on a
particular server. C code included on NAS, named “arse.c”, which is short for Apache

3
and Redhat Security Exploit, will automate this process. This code can also be obtained
from http://packetstormsecurity.nl.

You have already downloaded “arse.c”, now we will compile it on the Redhat 8.0
physical machine:
# cd /root/lab12/utilities
# gcc -o arse arse.c

Now run “arse” in the following manor:

# ./arse 138.210.238.42 80 names.txt [“names.txt” contains various user names]

This will check server “138.210.238.42”, use port 80 (http), and check user names in
“names.txt”.

Q1.4 What user names were found?

Now we know what user accounts are on the server, information that is very useful to an
attacker. One very good use of this information will be shown following, where we
exploit a flaw in the basic authentication system that web servers use.

3. Cracking basic auth

Most web servers have information on them that is only intended for a certain user or a
certain group of users. To prevent access to this information by unauthorized individuals,
web servers can use “basic authentication”, the simplest method of authentication. For a
long time this was the most common authentication method used by all web servers on
the Internet and is still the primary form of access protection used by many.

We have setup a private folder on our web server. Attempt to browse to:
“http://138.210.238.42/private/” and see that an authentication prompt comes up.
[Note: a “/” is required after “private” above]

This page is only available to two users with passwords.

A bug exists in basic auth that sets no limits on the amount of simultaneous connections
and number of authentication attempts permitted. This makes the process of brute-forcing
your way into a secured folder or file much easier. Also, since we already know what
users exist on the system (from our “arse” output), we will only test passwords for those
particular users.

Note that the users for this directory may not necessarily match system users, which is

4
what we determined earlier, however, chances are very good that they usually will.

A really good brute-forcer for the Win32 environment is Brutus, available at:
http://www.hoobie.net/brutus/

As specified on the website:

Brutus has support for the following authentication types:

HTTP (Basic Authentication)
HTTP (HTML Form/CGI)
POP3
FTP
SMB
Telnet
Other types (must be imported)

The current release includes the following functionality :

Multi-stage authentication engine
60 simultaneous target connections
No user name, single user name and multiple user name modes
Password list, combo (user/password) list and configurable brute force modes
Highly customisable authentication sequences
Load and resume position
Import and Export custom authentication types as BAD files seamlessly
SOCKS proxy support for all authentication types
User and password list generation and manipulation functionality
HTML Form interpretation for HTML Form/CGI authentication types
Error handling and recovery capability inc. resume after crash/failure.

As you can see, Brutus can be very useful for cracking passwords with a large number of
protocols.

Install Brutus on your Windows XP Virtual Machine:

Create a new folder on the desktop called “Brutus”
Open the “lab12” folder on the desktop and double-click on the Brutus zip file. Extract all
files to the “Brutus” folder. Now, copy the “names.txt” (same file used with arse) from
the lab12 folder to the Brutus folder.

Now run “BrutusA2.exe”.

For “Target” specify: “www.cc.gatech.edu/private/”
for “Type”: HTTP (Basic Auth)

Under Authentication Options:

Check “Use Username”
For “Pass Mode”: Word List
For “User File”: names.txt

5
For “Pass File”: words.txt

Now click the “Start Button”

Q1.5 Are the passwords for the two users able to be cracked and if so, what are the
users and passwords and how long did it take?

Brutus is also very useful in the fact that it can also “brute-force” passwords. If you want
to try this, change “Pass Mode” to “Brute Force” and click “Start”.

Warning: If you don't set the “Range” settings to something close to the passwords you
are attempting to crack, you could literally be waiting for centuries.

Play around with the Brute Force Range options to get an idea about what takes the
longest.

Q1.6 What types of passwords would be easiest to crack? Which would be hardest?
Why?

Now, if you want play around with the many other features in Brutus to get a feel for
what all can be accomplished with this software.

Exercise 2: Vulnerability Scanning

Several tools are available to automate the process of parsing web servers for the
numerous exploits that are continuously found in the hacking community. Commonly
called “vulnerability scanners”, these types of tools will scan for dozens of well-known
vulnerabilities. Attackers can then use there time more efficiently in exploiting the
vulnerabilities found by the tools.

In this lab, we'll use one of the more popular scanners called “Nikto”. It can obtained
from: http://www.cirt.net/code/nikto.shtml.

6
The description on the website states:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests
against web servers for multiple items, including over 2600 potentially dangerous
files/CGIs, versions on over 625 servers, and version specific problems on over 230
servers. Scan items and plugins are frequently updated and can be automatically updated
(if desired).

We will install and use Nikto to see what we find. Since Nikto is a Perl script, it requires
the Perl module Net::SSLeay for it to have HTTPS support. That module can be obtained
from: http://www.cpan.org/authors/id/S/SA/SAMPO/Net_SSLeay.pm-1.25.tar.gz.

We will now install Nikto and the Net::SSLeay module.

On your Redhat 8.0 physical machine:

# cd /root/lab12
# tar xvfz Net_SSLeay.pm-1.25.tar.gz
# cd Net_SSLeay.pm-1.25
# ./Makefile.PL
# make install
# cd ..
# tar xvfz nikto-current.tar.gz
# cd nikto-1.32
# ./nikto.pl

This will display Nikto's large variety of command-line options. For more detailed
descriptions consult the “nikto-usage.txt” file in the /docs folder.

To test the vulnerabilities on our web server type:

# ./nikto.pl -h 138.210.238.42 -p 80,443 > outfile.txt

This will scan the web server on our Redhat 7.2 Virtual Machine on port 80 (http) and
port 443 (https). The “> outfile.txt” will output to the file what would normally be
displayed to the screen.

Open “outfile.txt” in your favorite text editor to observe what is found.

Attach a printout of this file.

Q2.1 How can this information be used to a hacker's advantage?

7
If you are wondering what reflection will be made on the server in terms of logs files, etc.
we have included an access log from the server after being subjected to the same attacks.
On your RH8.0 machine it is “/root/Lab12/access_logs”. Open this with a test editor (it
is a large file) and look at the contents. Q2.2 Is it apparent that a scanner (in our case,
Nikto) was run and if so how can you tell? What about Brutus?

How long did it take you to complete this lab? Was it an appropriate length lab?

What corrections and or improvements do you suggest for this lab? Please be very
specific and if you add new material give the exact wording and instructions you
would give to future students in the new lab handout. You may cross out and edit
the text of the lab on previous pages to make corrections/suggestions. Note that part
of your lab grade is what improvements you make to this lab.