CEH Lab Manual Hacking Web Servers Module 13 (CoH Lab Manat Page 1285ON KEY 2 Vatunble infoetan AF Vosyour ‘knowledee BD Web exercise CD Workbook review ToolsiCEHvt4 Module 13 Hacking Web Servers (CoH Lab Manat Page 1286 Module 13 - Hacking Web Servers Hacking Web Servers A web server is a computer system that stores, processes, and delivers eb pages to global clients via HTTP protocol. A web server attack typically imobes preplanned cctvites, caled an attack methodology, which the attacker implements to reach their goal of breaching the target web server’ security. Lab Scenario Most organizations consider their web presence to bean extension of themselves. Organizations ereate their web presence on the World Wide Web using websites associated with their business. Most online services are implemented as web applications. Online banking, search engines, email applications, and social networks are just a few examples of such web services. Web content is generated in real-time by a software application running on the server-side. Web servers are critical component of web infrastructure. A single vulnerability in a web server's configuration may lead to a security breach on websites. This makes web server security critical to the normal Functioning of an organization. Hackers attack web servers to steal credentials, passwords, and business information. They do this using DoS, DDoS, DNS server hijacking, DNS amplification, directory traversal, Man-in-the-Middle (MITM), sniffing, phishing, website defacement, web server misconfiguration, HTTP response splitting, web cache poisoning, SSH brute force, web server password cracking, and other methods. Attackers can exploit a poorly configured web server with known vulnerabilities to compromise the security of the web application. A leaky server can harm an organization. In the arca of web sccutity, despite strong encryption on the browser-server channel, web users still have no assurance about what happens at the other end. ‘This module presents a security application that augments web servers with trusted co-servers composed of high-assurance secure co-processors, configured with a publicly known guardian program. Web users can then establish their authenticated, encrypted channels with a trusted co-server, which can act as a trusted third party in the browser-server interaction. Systems are constantly being attacked, so TT security professionals need to be aware of the common attacks ‘on web server applications. A penetration (pen) tester or ethical hacker for an organization must provide security to the company’s web server. This includes performing checks on the web server for vulnerabilities, misconfigurations, unpatched security flaws, and improper authentication with extemal systems. Lab Objectives ‘The objective of this lab is to perfosm web server hacking and other tasks that include, ‘but are not limited to: * Footprint a web server using various information-gathering tools and inbuilt commands Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.(CoH Lab Manat Page 1237 Module 13 - Hacking Web Servers = Enumerate web server information Crack remote passwords Lab Environment ‘To carry out this lab, you need: + Windows Server 2019 virtual machine * Windows Server 2016 virtual machine * Windows 10 viral machine * Pasrot Security vietual machine "Web browsers with an Internet connection © Administrator privileges to run the tools Lab Duration ‘Time: 75 Minutes Overview of Web Server Most people think a web server is just hardware, but a web server also includes software application HITTP requests. When a client wants to access any resource such as web pages, Photos, or videos, then the client's browser generates an HTTP request to the web server. Depending on the request, the web server collects the requested information ‘or content from data storage or the application servers and responds to the client’s ippropriate HTTP response. [Fa web server cannot find the requested information, then it generates an ceror message. Lab Tasks Ethical hackers or pen testers use numerous tools and techniques to hack a target web server. Recomm: techaigues include: In general, client initiates the communication process through request with an ded tbs that will assist you in leaming various web server hacking Por es Ba aad 1_ | Footpdne the Web Server voy v 11 Information Gathering using Ghost y 1.2. Perform Web Server Reconnaissance i using Skipfish * ‘ 13 Fooipriat a Web Server using the 1 1 huprecon Too! 14 Fooaprint a Web Server using ID Serve v v Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.(CoH Lab Manat Page 1288 Module 13 - Hacking Web Servers 1.5. Foorpriat a Web Server using Neteat y Y and ‘Telnet 1.6 Enumerate Web Server Information y using Nmap Seripting Engine (NSE) 1.7. Unisean Web Server Fingespeinting in Parrot Secucity 2. | Perform a Web Server Attack v Vv 2.1 Crack FIP Credentials using a Dictionary Attack y q Remark Council has prparcd considered amount of lab exercises fr student to practice dung the 5-day lass tnd attic fee time to enhance thee knowledge and sil. "*Core - Lal exercse(¢) marked under Core ate recommended by EXC Council wo be peacined dung the Seday class ‘s8Selfatudy - Lab exccnes) marked under ws is For stents to praetine a thee Fee time, Step 40 access che additional ab exercies can be found in the Best page of CHV volume 1 book. ‘S*8iLabs - Lab exerise(s) marke under iLaby are salable i our Labs solution. Labs is» clow-based vimual bb envisonment preconfigured with vulnerabilities, exploit, tools and seis, and ean be acensed from anywhere with an Lmemet connection. If you ate itezested { aen moze about ous dabs solution, please contzet your trsiaing center o vist hups/ labs cecounciLoey. Lab Analysis Analyze and document the results related to this lab exercise. Give your opinion on your tanger’s security posture: PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.© Valuable Information A Test Your Keene BL Web tiene LD Workbook Review (CoH Lab Manat Page 1219 Module 13 - Hacking Web Servers Footprint the Web Server Toolprinting the web server refers to the process of gathering as mauch information as possible about the target web server by using various tools and tecbniques. Lab Scenario ‘The first step of hacking web servers for a professional ethical hacker or pen tester is to collect as much information as possible abour the target web server and analyze the collected information in order to find lapses in its current security mechanisms. ‘The main puspose is to Iearn about the web server's remote access capabilities its pots and services, and other aspects ofits security. ‘The information obtained in this step helps in assessing the security posture of the web server. Footprinting may involve searching the Intemet, newsgroups, bulletin boards, etc. for gathering information about the target organization’s web server. Thete are also tools such as Whois.net and Whois Lookup that extract information such as the target's domain name, IP addeess, and autonomous system number. Web server fingerprinting is an essential task for any penetration tester. Before proceeding to hack or exploit a webserver, the penetration tester must know the type and version of the webserver as most of the attacks and exploits are specific to the type and version of the server being used by the target. These methods help any penetration tester to gain information and analyze their target so that they ean perform a thorough test and can deploy appropriate methods to mitigate such attacks on the server. An cthical hacker or penetration tester must perform footprinting to detect the loopholes in the web server of the target organization. This will help in predicting the effectiveness of additional security measures for strengthening and protecting the web server of the target organization. ‘The labs in this exercise demonstrate how to footpsint a web server using vasious footprinting tools and techniques. Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.& Toots demonstrated in this lab are available in EACEH- ToolsiCEHv11 Module 13 Hacking Web (CoH Lab Manat Page 1220 © Information gathering using Ghost Eye © Perform web server seconnaissance using Skipfish © Footprint a web server using the httprecon Tool © Kooprint a web server using ID Serve © Koorprint a web server using Netcat and ‘Telnet © Enumerate web server information using Nmap Scripting Engine (NSE) © Uniscan web sesver fingerprinting in Parrot Secusity Lab Environment ‘To carry out this lab, you need: Windows 10 virtual machine *® Windows Scever 2016 virtual machine *® Windows Scever 2019 virtual machine = Pasrot Security virtual machine # Web browsers with an Intemet eonnection © Administrator privileges to run the tools * htiprecon located to EACEH-Teols\CEHv11 Module 13 Hacking Web ‘Servers\Web Server Footprinting Tools\httprecon * ID Serve located to ENCEH-Tools|CEHV11 Module 13 Hacking Web Servers\Web Server Footprinting ToolsiID Serve * You can also download the latest version of the above-mentioned tools from their official websites. If you decide to download the latest version, the sereenshots shown in this lab manual might differ from the image that you see on your sereen. Lab Duration ‘Time: 65 Minutes Overview of Web Server Footprinting By performing web server footprinting, it is possible to gather valuable system- level data such as account details, OS, software versions, server names, and database schema details. Use Telnet utility to footprint a web server and gather information such as server name, server type, OSes, and applications running. Use footprinting tools such as Netcraft, ID Serve, and httprecon to perform web server footprinting. Web server footprinting tools such as Netcraft, ID Serve, and htiprecon ean extract information from the target server, Let us look at the features and the types of information these tools can collect from the target server. Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers Lab Tasks Information Gathering using Ghost Eye = TAsK 4 1. Tum on Parrot Security virtual machine. 2. In the login page, the attacker uscrname will be sclected by default. Eater password as taor in the Password ficld and press Enter to log in to the machine, 27 Ghost Eyes infematon gahering tool svsiten in Python 3. To run, Ghost Eye ony neds adem iP Gos Pye mw ih lime ately Note: + If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it + If 2 Question pop-up window appears asking you to update the machine, click Ne to close the window 3. -k the MATE Terminal icon from the menu bar to launch the terminal. Fie Laing fe MATE: Tem E> Cheaters 4. A Parrot Terminal window appears. In the terminal window, type sudo su Shenees and press Enter (o run the programs asa root user peer Tbicna, 5: In the [sudo] password for attacker fcld, ‘ype toor as a password and fbb Clekjcing press Enter Reborn camer ik css gnbber IP oeason. Note: The password that you type will not be visible. fuer and ener ce Labmanual Page 1228 {hic aching and Countermeasures Cop ©by 68 Gamel ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 6. Now, type ed and press Enter to jump to the root directory ‘Figur 1.1.5: Rusing dhe programs a rot war Brasw 4.4 Now, install Ghost Fye. 'To do this, in the terminal window, type git elone —— httpsi/github.com/BullsEyeO/ghost_eye.git anc press Enter. This will install Ghost Eye in your virtual machine, as shown in the sescenshot. Install Ghost Eye Note: You can also access the tool sepository from the GEH-Tools folder available in Windews 40 virtual machine, in case, the GitHub link does not exist, or youare unable to clone the tool repository. Follow the steps below in order to access CEH-Tools folder from the Parrot Security virtual machine: * Open a windows explorer and press Gtrl4L, The Location ficld appears; type smby/10.10.10.10 and press Enter to access Windows 410 shared folders * ‘The security pop-up appears; enter the Windows 10 vierual machine credentials (Username: Admin and Password: PaSSwOrd) and click Connect. * The Windows shares on 10.10.10.10 window appears; navigate to the location CEH-Tools/CEHV11 Module 13 Hacking Web Servers/GitHub Tools! and copy the ghost eye folder. = Paste the copied ghest eye folder on the location heme/attacker/. = In the terminal window, ype my home/attackerighost eye root. (eH Lab Manual Page 1222 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 9. Now, navigate to the GI Enter. host Hye directory. Type ed ghest_eye and press 10. In the terminal window, type pip3 install -r requirements.txt and press Cor d: beautifulsoup4 in /u ere Peete ter aiety Cerin Mi eae arn Se wus rasan eget Te Eee CiDm eto tee imam? a Bret: a CAEL Se ths ‘ 3 Oy ess Cee ati ady sati cers pen Fg ising Gow Ege nen Brac a2 11. To hunch Ghost Bye, type python3 ghost eye.py and press Enter. Launch Ghost Eye 12. ‘The Ghost Eye - Information Gathering Tool options appear, as shown in the screenshot 15. Let us perform a Whois Lookup. Type 4 for the Enter your choice: option and press Enter. Perform Whois Lookup CEH Lab Manual Page 223 Ethical Hacking and Countermeasures Copyigh © by EE-Counell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 14, Type certifedhacker.com in the Enter Domain or IP Address: field and press Enter. 15, Scroll up to sce the certificdhackez.com result. In the result, observe the complete information of the certifiedhacker.com domain such as Domain Name, Registry Domain ID, Registrar WHOIS Server, Registrar URL, and Updated Date (eH Lab Manual Page 1224 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 16, Let us perform a DNS Lookup on certifiedhacker.com, In the Enter your choice field, type 2 and press Enter to perform DNS Lookup. 17. The Enter Domain or IP Address fick appears; type certifiedhacker.com, Eirasn 1.4 Sa and press Enter. Perform DNS sy oak ‘Note: The results might differin your lab cavironment. 18, As soon as you hit Enter, Ghost Kye starts performing a DNS Lookup on the targeted domain (here, certifiedhacker.com) 19. Scroll up to view the DNS Lookup sesult CEH Lab Manual Page 1225, Ethical Hacking and Countermeasures Copyigh © by EE-Counell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers in the Enter your choiee fick 20. Now, perform the Clickjacking Test. ‘T)pe and press Enter. 21. In the Enter the Domain to test ficll, type certifiedhacker.com and press Enter. Erask 4 Perform Glickjacking Test 22. By performing this test, Ghost Eye will provide the complete architecture of the web server, and also reveal whether the domain is vulnerable to Clickjacking attacks or not Ethical Macking and Countermeasures Copyright © by E-Soumell (eH Lab Manual Page 1226 ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 23, Similarly, you ean use the other tools lable with Ghost Hye such as Nmap port scan, HTTP header grabber, link grabber, and Robots.txt scanner to gather information about the target web server. 24. This concludes the demonstration of how to gather information about a target web server using Ghost Eye. 25. Close all open windows on the Parrot Seeurity viriual machine: TASK 2_ Perform Web Server Reconnaissance using Skipfish Note: Ensure that the Parrot Security virtual machine is running, 1. Turn on the Windows Server 2016 virtual machine and log in with the crodentials Administrator and PaS$wOrd 2. Double-click the WAMP Server shortcut icon fom Desktop to start WAMP Server services. Alternatively, you ean also launch the WAMP Girase 2.4 Start WampServer Server services from the Start menu apps in Windows, Server 2016 igure 121: Saing Ware © Skips san active 3. Wait until the WAMP Server icon turns Green in the Notification arca, webeppbeaton Geplyed Leave the Windows Server 2046 virtual machine running. ‘reo peeps ane Shean forte ced sitcby caring ota recon cel nd Siete ie he sig apt sonal wth eat frm anime of sae (birhopiy on acta The Be opt Figure 1.22: Warp Sere ssc tai Z Switch to the Parrot Security virtual machine and launch MATE a 5, Apasret Terminal window acer lathe terminal wind, spe sd 6. In the [sudo] password for attacker ficld, type toor as a password and press Enter. Note: The password that you type will not be visible. 7. Now, type ed and press Enter to jump to the soot directory (CoH Lab Manat Page 1227 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 8. Now, perform security reconnaissance on a web server ¥ ‘The target is the WordPress website httpu[IP Address of Windows Server 2016] Grasx a2 ing, Skipfish. Scan the Web Server 9. Specify the output directory and load a dictionary file based on the web server's requirement. In this lab, we are naming, the output directory test 10. In the terminal window, type skipfish -0 /reotitest -S lusrishare/skipfishidictionaries! complete.w! http:/[IP Address of Windows Server 2016}:8080 and press Enter. Note: 1 IP address may vary in your lab environment. 11. On receiving this command, Skipfish performs a heavy brute-force attack on the web server by using the complete.w! dictionary file, creates a directory named test in the root location, e result in index.html inside this location. ind stores Before beginning a scan, Skipfis y's some tips, Press Enter to start the security reconnaissance. disp rr) eee o er eet Seer an reer ey (eH Lab Manual Page 1228 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.(eH Lab Manual Page 1229, Module 13 - Hacking Web Servers 13, Skipfish scans the web server, as shown in the screenshot. ore aw pe sown xy rn reat 00 tot 14, Note that Skipfish complete its sc takes some time (approximately 20. minut Note: You can press Gtrl#€ to terminate the sean if it is taking longer. 5 unkn, 39 par Oiveipis are er) Ont) aurea Looking for duplicate e isieicr nr re ar ete scan descriptil ec Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 15. On completion of the scan, Skipfish generates a report and stores it in the test directory (in the root location). Navigate to location, right-click Examine the index.html, hover your mouse cursor on Open With, and click Firefox to ‘Scan Result view the scan result Gras 2.3 ‘Note: To navigate to the reet directory, click Places from the top-section of the Desktop and click Home Folder from the drop-down options. In the attacker window, click File System from the left-pane and navigate to the location root. Fipie 1.27: Viewing th sean sole 16. The Skipfish crawl result appears in the web browser, displaying a summary overview of document and issue types found, as shown in the screenshot. Note: The scan result might vary in your lab cavironment raul results - click to expand: @ seme oso @ + mpmosoansowey 92 011 960 9:57 Document type overview - click to expand: sopeatoninserp sree igure 12.8 Kauri hes ese (CoH Lab Manat age 1220 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers 17. Expand each node to view detailed information regarding the result 18. Analyze an issue found in the web server. To do this, click a node under the Issue type overview section to expand it. 19. Analyze the SQL query or simi syntax in parameters iss. meeas ne expt issue type overview - click to expand: pus 1.20: Raum he sae ese 20. Observe the URL of the webpage associated with the vulnerability. Click the URL, (CoH Lab Manat Page 1231 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers 21. ‘The webpage appears, as shown in the sereenshot. ‘Add a VirtualHost - Back to homepage i a gn 1.2.11: Examining the sea ese 22. "The PHP version webpage appears, displaying details related to the machine, as well as the other resources associated with the web server infrastructure and PHP configuration. 23. Click show trace next to the URL to examine the vulnerability in detail, © SQL query or simitar syntax in parameters 2. hap10 30.10.16 8080!edd_ vhost pho SEE] 2 apyL010.10.16-2080!edd_ vhost oe + © Signature match detected =) © ITIL form win no apparent XSRF protection (0) © Numerical flename -consider enumerating © Incorrect or missing charset (ow tisk) © Generic MIME used (low Fisk) © HTML form (not classified othervtse) {© Unknown form fei (ean gre 1212: Esainiag the HTTP race (CoH Lab Manat Page 1232 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers 24, An HTTP trace window appears on the webpage, displaying the complete HTML session, as shown in the screenshot. gure L215: Examining the HTP eae Note: If the window does not properly appear, hold down the @tel key and dlick the link. 25, Examine other vulnerabilities and patch them to secure the web server. 26. This concludes the demonstration of how to gather information about a target web server using Skipfish 27. Close all open windows on both the Parrot Security and Windows Server 2046 virtual machines and turn off the machines. Footprint a Web Server using the httprecon Tool SB TASK 3 —————— Here, we will use the httprecon tool to gather information about a target web Dooasn 1. Tum on the Windows 10 and log in with the cecdentials Admin and raSSwOrd. Launch the fagewc 2. Navigate 10 EACEH-Teols\CEHv11 Module 13 Hacking Web ‘Avplicanca Servers\Web Server Footprinting Toolsihttprecon, right-click httprecon.exe, and, from the context menu, click: Run as administrator double-click to launch the application. Note: Ifa User Account Control pop-up appears, click Yes. (cen tab Manual Pope 1253 Ethical Hacking and Countermeasures Copyigh © by EE-Counell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers 3. ‘The main window of httpreeon appears, as shown in the screenshot Web applcaions can thinformation, mt sth Inve Ditprecont a tee wed ob File Configuration Fingerprinting Reporting Help perme rere a capri is nt 2 cr | braze | al opeatigi pee sre cay be ET exsng | GET lnarecuest| GET norrexiteg| GET wrong prtocc| HEAD esiteg| OPTION | sulneableto a vay of sccm threats Aton the the in hence main laps oar ai pasa wed (eu, thef, vandal, and tems) they ae far more dango Depend onl icin tem eae’ FullMatchtt | Fingerpit Detale | Report Preview | secctiiacscs | (Tyas [mac ia 4 eh tb Mara Poe 1284 Ethical acing and Countermeasures Copy ©by #8 omel ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 4. Enter the website URL. (here, www.certifiedhacker.com) that you want EB tasn a2 to footprint and select port number (80) in the Target section. Provide the Click Analyze to start analyzing the designated website. Target URL and 6 of the website appears, as shown in the screenshot my A footprint of the website appears, as shown in th hot ; Results Til eprecon 73 hitp//oonw cotiedheckercom ox File Configuration Fingerprinting Reporting Help Taiget Apache 2.0.48), iaprcom is ato for ackonced web sever 7? =] Rewmcenhackercom Ea rabee feng Thi too snack sans ee GET exstng | GET ong eqs] GET nonevsing| GET wong potacl| HEAD esting | OPTION ¢ onleing analy omits muh eet. Maiti! [252 inclementaiors) | Figen Detade | Rept Preview| RR Aoche2aa IN Apache 20:54 Ne Apache 228 IN Apache 226 Ne Apache 2052 (eH Lab Manual Page 1225, Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers Look at the Get existing tab, and observe the server (Apache) and the server-side application (ASP.NET) used to develop the webp: 8. When attackers obtain this information, they research the vulnerabilities present in ASP.NET and Apache and try to exploit them, which results in either full or partial control over the web application. 9. Click the GET long request tal, which lists all GET requests. Next, click the Fingerprint Details tab. rv cestifiednacke.com: =o x ms File Configuration eprecon 73 hip errinting Reporting Help Terps Apache 2046) | hip 77 =] [wwmcetfedhacker com iso GET eng GET nonessng| GET wong ptr | HEAD siting] OPTION | Repet Preview| 10. The details displayed in the screenshot above include the name of the protocol the website is using and its version. 11. By obtaining this information, attackers can manipulate ITTTP vulnerabilities in order to perform malicious activities such as sniffing over the HTTP channel, which might result in revealing sensitive data such as user credentials 12, This concludes the demonstration of how to gather information about the target web server using husprecon. 13. Close all opea windows on the Windows 40 virtual machine (eH Lab Manual Page 1226 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers Footprint a Web Server using ID Serve Pen testers must be familiar with banner grabbing techniques to monitor servers and ensure compliance and appropriate security updates. This technique also helps in locating rogue servers or determining the role of servers within a network. This lb manual helps understand and learn the banner grabbing technique using ID Serve, which allows an attacker to determine a remote target system, ‘Note: Ensure that the Windows 10 virtual machine is running. BS TAsK 1, On the Windows 10 virtual machine, navigate (0 EACEH-Toots\CEHv11 Module 13 Hacking Web Servers\Web Server Footprinting ToolsiD Serve and double-click idserve.exe, 2. The main window of 1D Serve appears. Click the Server Query tab. % cae Invemet Servericerficeton Uti. 02 ies Swroesssmte PUP) GEPye — rescreisetuiyrecver by Seve Giron 5 densBoaion uty S ue Copyright ic} 2000 by Gibson Resesech Comp. el, Kaeese caters F Begins Exe opuie a Pas Sg as nae Ie eT ientiaton @ # Noo TTP server Eesinson ‘vena tenet UL has ben ved bv, (2) [__ Get sever | a fees tatontonbc a aay cite tend saver * Revere DNS, aa Qe oie 0 Seve web page ET 5. For option 4, in the Enter or copy/paste an Internet server URL or address section, cater the URI. (httpuiwww.certifiedhacker Provide the “ want to Footprint. ‘Target URL and ‘Examine 4. Click Query the Server to start querying the website. senRneat 5. After the completion of the query, ID Serve displays the results of the catered website, as shown in the screenshot. (cen tab Manual Page 1237 Ethical Hacking and Countermeasures Copyigh © by EE-Counell "Al RightsReserved, Reproducton fs Stcty Prose.B Task 5 © Netoa Nastia coring ity that reads and wes ts mom ortvod (nme wing the TCP pct lesa telbl“toceend” ool ted yo driven by aes tesa I ao aero and press Enter. Nmap 6 In this scan, we are enumerating the www.goodshopping.com website. The web applications thor ar avaible on the Inneret may have ikacobaies Soe ache’ atack steneges Adminstrator on Figs 1.62: HITT om apt hos Sometimes ty simgly about the verve Ung [Nonap and hp enam.ase of those appietions, regen el ech Seo Ths posible wo check for ‘ulneabitcs cr abuses in dhabaces (eH Lab Manual Page 1203, Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers aT ‘This script enumerates and provides you with the output details, as shown guts posible in the screenshot. Sacer emt fae tremely da) cei esi (i ond that maintain secesibly o emesaps WordPre once the uk has bon seeded. Once jou ave iene a vila (eH Lab Manual Page 1202 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 8. ‘The next step is to discover the hostnames that resolve the targeted domain, 9. In the terminal window, type amap ~seript hostmap-btk -seript-args hostmap-bfk.prefixshostmap- www.goodshopping.com and press Enter. 10. Perform an HTTP trace on the targeted domain. In the terminal window, type nmap ~-seript http-trace -d www.geodshopping.com and press Enter. 11. ‘This script will detect a vulnerable server that uses the ‘RACE method by sending an HTTP TRACE request that shows if the method is enabled oF not. (eH Lab Manual Page 1202 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers (eH Lab Manual Page 1204, Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers Figur 16% Het Map on age nt eee 12. Now, check whether Web Application Firewall is configured on the target host or domain. In the terminal window, type nmap -p80 ~seript http- wat-detect www.goodshopping.cam and press Enter. 13. This command will scan the host and attempt to determine whether a web server is being monitored by an IPS, IDS, or WAF mand will probe the target host with malicious payloads and detect the changes in the response code. (eH Lab Manual Page 1265, Ethical Making and Countermeasures Copy ‘A Rights Reserved. ReproductionsModule 13 - Hacking Web Servers 15. This concludes the demonstration of how to enumerate web server ingine (NSE). 16, Close the terminal windows on the Parrot Security virtual machine. information using the Nmap Scripting 17. ‘Tum off the Windews Server 2049 virtual machine. DB Task 7 Uniscan Web Server Fingerprinting in Parrot Security Note: Ensure that the Parrot Security virtual machine is running, ‘um on the Windows Server 2016 virtual machine and log in with the Brien 7a credentials Administrator 2nd paSSword. Beit WsiripBeiver Start WAMPServer on the Windews Server 2046 virtual machine in Windows Double-click the WAMPServer shoricut icon on Desktop to start the Server 2016 service. Wait uatil the WAMPServer icon turns green in the notification area, as shown in the screenshot. Leave the Windows Server 2016 virtual machine running and switch to the Parrot Security virtual machine. 5. Now, on the Parrot Security virtual machine, click the MATE Terminal icon from the menu bar to launch the terminal. 6. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user. In the [sudo] password for attacker field, ‘ype toor as a password and press Enter. Note: The password that you type will not be visible. 8. Now, type ed and press Enter to jump to the soot directory (CoH Lab Manat Page 1286 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Grase 7.2 View Uniscan Help Options Unisean isa venatile scorer fingering oo thot not only perform png, aero and fbokup bur abo does static, dam, and stass checks ona weh seve. foc the wee Brasx 7.3 Perform Directory Scan (eH Lab Manual Page 1207 Module 13 - Hacking Web Servers 9. In the terminal window, type unisean -h and hit Enter co display the uniscan help options 10. The help menu appears, as shown in the screenshot. Pirst, use the «a command to search for the directories of the web server. able Directo erste able rob Sear Siesta Sees erars earner es 11. In the terminal window, type unisean -u http://40.10,10.16:8080/CEH - @ and hit Enter to start scanning for directories, 12, Here, 10.10.10.16 is the IP address of the Wik machin jows Server 2016 vist ‘This may vary in your lab environment. 13, In the above command, the -u switch is used to provide the target URL, and the -q switch is used to scan the directories in the web server. u http://10, 10,10, 16:008 Ethical Making and Countermeasures Copy ‘A Rights Reserved. Reproductions by EE-Counel icy Prone.Module 13 - Hacking Web Servers 14, Uniscan starts performing different tests on the webserver discoverit web directories, as shown in the screenshot Note: Scroll to analyze the complete output of the scan. Tt should take approximately 10 minutes for the scan to finish. earns! 9. 10.16 :8080/CEH, crea ti Tenet esa: 5 c ay romeo ian ee) reemeuus Tea: oe) [+] CODE ome i : : ety r E ce " gee 1.74 Uae sig fund tos TASK Fa 15. Now, run uniscan using two options together. Here -w and -e are used. a together to enable the file check (robots.txt and siternap.xml file). In the Lvokctin terminal window, type uniscan -u http://10.10.10.16:8080/CEH -we and See hit Enter to start the scan. pS CEC FE (et ua anual Page 1208 Ethical Hacking and Countermeasures Copyih ‘A Rights Reserved. ReproductionsEirasx 7.5 Perform Dynamic Tests (eH Lab Manual Page 1209, Module 13 - Hacking Web Servers 16, Uniscan starts the file check and displays the results, as shown in the screenshot. Note: Scroll to analyze the complete scan result. It should take approximately 10 minutes for the scan to finish, rea Srgatmecet ake 17. Now, use the dynamic testing option by giving the command -4. ‘Type uniscan -u http:/10.10.10.16:8080/CEH -d and hit Enter to start a dynamic scan on the web server. @parrot Ps! Cee rae: Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers 18, Uniscan starts performing dynamic tests, obtaining more information about email-IDs, Source code disclosures, and external hosts. Note: Scroll to analyze the complete output of the scan. It should take approximately 10 minutes for the scan to finish. 19. Uniscan displays the PHP info, as shown in the screenshot below. Close the terminal window (eH Lab Manual Page 1250 Ethical Making and Countermeasures Copy ‘A Rights Reserved. Reproductions by EE-Counel icy Prone.Gras 7.6 ‘View Report BS Yereanskowe other we sone foompaeting tools such as SpiderFoot (ips /wrspierfo se) hpi (apne squirecom, (hips epee )yand Network Mince (bips//ervw.ncimce co st gather nfomnason sour the tage web (CoH Lab Manat Page 1251 Module 13 - Hacking Web Servers 20. Afier scanning, navigate (o Iusrishare/uniscan/report and right-click on 10.10.10.16.html, Hover your mouse cursor on Open With and click Firefox from the menu to view the scan report. gm 171010 ep genet 21. ‘The report opens in the browser, giving you all sean details in a more comprehensive manner. gate 17.1 Ww the nea apo 22, This concludes the demonstration of how to gather information about the target web server using Uniscan. 23. Close all terminal windows on the Parrat Security virtual machine. 24. Turn off the Parrot Security and Windows Server 2016 virtual machines, Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers Lab Analysis Analyze and document all the results discovered in this lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB. Yes ONo Platform Supported Classroom WiLabs (cen tab Manual Page 1252 ‘Ethical Macking and Countermessures Copyright © by &&-Comnel "Al RightsReserved, Reproducton fs Stcty Prose.Valuable A Test your Inowinke BD Weberenie DB Workbook review Teots demonstrated in this lab are available in EACEH- ToolsiCEHVt4 Module 13 Hacking Web (CoH Lab Manat Page 1253 Module 13 - Hacking Web Servers Perform a Web Server Attack Aan expert hacker and pen tester must implement various techniques to launch web server attacks on the target web server Lab Scenario After gathering required information about the target web server, the next task for an ethical hacker or pen tester is to attack the web server in order to test the target network's web server security infrastructure. ‘This requires knowledge of how to perform web server attacks, Attackers perform web server attacks with certain goals in mind. ‘These goals may be technical o¢ non-technical. For example, attackers may breach the security of the web server to steal sensitive information for financial gain, or merely for curiosity’s sake, ‘The attacker tries all possible techniques to extract the necessary passwords, including password guessing, dictionary attacks, brute force attacks, hybrid attacks, pre-computed hashes, rule-based attacks, distributed network attacks, and rainbow attacks. The attacker needs patience, as some of these techniques are tedious and time-consuming, The attacker can also use automated tools such as Brutus and THIC-Hydea, to crack web passwords. An ethical hacker or pen tester must test the company’s web server against various attacks and other vulnerabilities. It is important to find various ways ¢0 extend the security test by analyzing web servers and employing multiple testing techniques. his will help to predict the effectiveness of additional security measures for strengthening and protecting web servers of the organization, Lab Objectives * Crack FTP credentials using a Dictionary Attack Lab Environment ‘To camry out this lb, you need: Windows 10 virtual machine + Parrot Security virtual machine © Web browsers with an Intemet connection Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.SE TAsK 4 Bras 44 Copy and Paste Wordlists Folder A dationary or ‘sonst consis tows of words that acid by posewond rack Wl to break into apasowost-paoected sytem. Am atacker may ether manally erica pasword began or ‘we automa ods and tessa te ddetionary mabe. Most ppesstond cracking techniques ac sees, Ieeame of weak or ely ‘guesable paowonls (CoH Lab Manat Page 1254 Module 13 - Hacking Web Servers + Administrator privileges to run the tools Lab Duration Time: 10 Minutes Overview of Web Server Attack Attackers can cause various web server, including: inds of damage to an organization by attacking, a * Compromise of a user account Secondary attacks from the website and website defacement * Root access to other applications or servers Data tampering and data theft Damage to the company’s reputation Lab Tasks Crack FTP Credentials using a Dictionary Attack Here, we will fistly find the open FTP port using Nmap, and then perform a ictionary attack using the THC Hydra tool 1. Tum on the Windows 40 and Parrot Security virtual machines. 2. In the login page, the attacker username will be selected by default Enter passwond as toor in the Password ficld and press Enter to log in to the machine. ‘Note: Here, we will use a sample password file (Passwords.tet) containing a lst of passwords to crack the FTP credentials on the target machine. 3. First, we will copy the Werdlists folder containing the sample username and password files (named Passwords.tet and Usemames.txt) from the shared network drive to the reotiHome dlrectory of the Parrot Security virtual machine. 4. To do so, open any windows explorer and press Gtri#L. The Location ficld appears; type smby/40.40.10.40 and press Enter to access Windows 10 shared folders. 5, Assecurity pop-up appears; enter the Windows 10 virtual machine credentials (Username: Admin sind Password: Pa$$wOrd) anc click Connect. 6. The Windows shares on 10.10.10.10 window appears. Double-click the CEH-Tools fokier. Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers Navigate 10 CEHW11 Module 13 Hacking Web Servers and copy the Wordlists folder. pe 211: Copy th Worle Be 8. Paste the Wordlists folder into the Ihomefattacker directory, as shown in the sereenshot. gee 21.2: Pate he Words di ErasK 4.2 9. Click the MATE Terminal icon at the top of the Desktop window to open a Pectin Maca Terminal window. Sean 10, A Parrot Terminal window appears. In the terminal window, type sude su and press Enter to run the programs as a root user, 11, In the [sudo] password for attacker fick, type toor as a password and press Enter Note: The passwoed that you type will not be visible. 12. Now, type ed and press Enter to jump to the soot directory (CoH Lab Manat Page 1255 Ethical Macking and Countermeasures Copyright © by E-Soumell "Al RightsReserved, Reproducton fs Stcty Prose.Module 13 - Hacking Web Servers 13, Type mv shomelattackerWordlists /root! Wondlists folder to the root directory id press Enter to move the Fre 2:15: Move Wonliss folder othe mot dic 14, Assume that you are an attacker, and you have observed that the FTP service is running on the Windows 10 virtual machine. 15, Perform an Nmap sean on the ta the FTP port is open. set machine (Windows 10) to check if 16, In the parsot terminal window, type nmap -p21 [IP Address of Windows 10}, and press Enter. Note: In this lab, the IP address of Windows 40 is 10.10,10.10, 17. Observe that pert 21 is open in Windows 10. 18. Check if an FTP server is hosted on the Windows 10 machine. (eH Lab Manual Page 1256 Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Girasx 1.3 Perform Dictionary Attack (eH Lab Manual Page 1257 Module 13 - Hacking Web Servers 19. Type ftp [IP Address of Windows 10] and press Enter, You will be prompted to enter user credentials. The need for credentials implies that an FTP server is hosted on the machine 20. Try entesing random usernames and passwords in an attempt to gain PTP Note: The password you enter will not be visible on the screen 21. As shown in the screenshot, you will not be able to log in to the FIP server. Close the terminal window Tee #ftp 10.10. 10.10 Cece eC CIC) Microsoft FTP Ser (10.16, 10,19: re 31 Password required an 22. Now, to attempt to gain access to the FIP server, perform a dictionary attack using the THC Hydra tool 23, Open a new terminal and jump to the root directory. Now, type hydra = L. IrootWordlists/Usernames.txt -P [root/Wordlists/Passwords.txt 15 of Windows 10] and press Enter. Note: The IP address of Windows 10 ia this lab exercise is 10.40.10.10. This IP address might vary in your lab environment Figure 2.17: Atckng the FIP sent Ethical Making and Countermeasures Copy ‘A Rights Reserved. ReproductionsModule 13 - Hacking Web Servers 24. Hydra tries various combinations of usernames and passwords (present in the Usernames.txt and Passwords.txt files) on the FTP server and outputs cracked usernames and passwords, as shown in the screenshot. Note: This might take some time to complete. 25. Qn completion of the password cracking, the eracked credentials appear, as shown in the sereenshot. 26. Try to log in to the FTP server using one of the cracked username and password combinations. In this lab, use Martin’s credentials to gain access to the server. 27. Open a new terminal window and [IP Address of Windows 10], iP (0 the root directory. Now, type ftp nd press Enter. Grasx 1.4 Rupees ie ete: 28. Enter Martin’s user credentials (Martin and apple) to check whether you peti | can successfally log in to the server. On entering the credentials, you will successfully be able to log in to the server. An fip terminal appears, as shown in the screenshot Fire 2191 FP sever 30. Now you can remotely access the FTP server hosted on the Windows 10 machine. CEH tab Manual Page 258 Ethical Hacking and Countermeasures Copy © by EE Commel ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers adirectory named 31. Type mkdir Hacked and press Enter io remotely creat Hacked on the Windows 10 virtual machine through the fip terminal Fig 21.10 Casing den 32. Switch to the Windows 40 vicrual machine, log in with the credentials ‘Admin and PaS$wOrd, and navigate to GAFTP. 33. View the directory named Hacked, as shown in the screenshot Tow Te one | owe Ve q % we His roster fj I @ ontive 2 aces Fg 21.1: Viewing ihe cated cory in Windows 10 34. You have successfully gained remote access to the FTP server by obtaining the appropriate credentials arrot Security virtual machine 35. Switch back to the (eH Lab Manual Page 1259, Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.&Yoranskoue other web eer attack tends such ay Burp Suite hap /pomewigaee (eps /hashetnet) oe Metasploit hap /w wets sacks the tpt we) (eH Lab Manual Page 1260 Module 13 - Hacking Web Servers 36. Enter help to view all other commands that you can use through the FTP. terminal, 7. On completing the task, enter quit to exit the ftp terminal. 38. This concludes the demonstration of how to crack FTP credentials using a dictionary attack and gain remote access to the FTP server. 39. Close all open windows on both the Parrot Security and Windows 10 virtual machines. Windows 10 virtual machines 40. ‘Turn off the Parrot Security Ethical Macking and Countermeasures Copyright © by E-Soumell ‘Al RightsReserved. Reproduction Sve Profits.Module 13 - Hacking Web Servers Lab Analysis Analyze and document all the results discovered in this lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB. erence tt Oves No Platform Supported Classroom Wilabs (en tab Manual Page 126% ‘Ethical Macking and Countermessures Copyright © by &&-Comnel "Al RightsReserved, Reproducton fs Stcty Prose.ea qi ay Certified Ethical Hocker EC-COUNCIL OFFICIAL CURRICULA