Certified |] Ethical Hacker Module 13: Hacking Web ServersEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Module Objectives ¢ EH és Lncerstancing Web Server Concepts . Understanding Web Server Attacks geet | pee ‘Overview of web Server Security Tools Module Objectives Most organizations consider their web presence to be an extension of themselves. Organizations maintain websites associated with their business on the World Wide Web to establish their web presence. Web servers are a critical component of web infrastructure. A single vulnerability in web server configuration may lead to a security breach on websites. Therefore, web server security is critical to the normal functioning of an organization. This module starts with an overview of web server concepts. Subsequently, it provides insight into various w b-server attacks, attack methodologies, and attack tools. Later, the module describes countermeasures against web server attacks, patch management, and security tools. ‘At the end of this module, you will be able to do the following: "Describe web server concepts * Perform various web server attacks * Describe web server attack methodology "Use different web server attack tools Apply web server attack countermeasures "Describe patch management concepts "Use different web server security tools Module 13 Pape 159 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Module Flow CEH Web Server ‘Web Server ‘Web Server Web Server ‘Concepts psi ‘Attack ‘Attack ‘Methodology ‘Tools Counter. Patch Web Server measures ‘Management Security ‘Tools Web Server Concepts To understand web server hacking, it is essential to understand web server concepts, including what a web server is, how it functions, and other elements associated with it This section provides a brief overview of a web server and its architecture. It will also explain common factors or mistakes that allow attackers to hack a web server. This section also describes the impact of attacks on web servers. ‘Module 13 Page 1595 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Web Server Operations (© Aweb server is a computer system that stores, processes, and delivers web pages to clients via HTTP ‘pict clan seer we sere Operon Components of a Web Server — © DocumentRoot Stores cl HTML fs relted tothe web popiaton pages oF domainname tnt wil be serean response tothe Sasson 19 ServerRaot Stoves servers configuration err executable, and og ies | (© vinualoocument ree Provides storage ona dierent machine ordskafter the orginal sis filed up © Vital Mosing: Technique of hosting multiple domains or laetstes onthe sme server {© Webproxy: Pow server that sts between the web cent nd we serve to prevent IP blocking and maintain anaryrity Web Server Operations A web server is a computer system that stores, processes, and delivers web pages to global clients via the Hypertext Transfer Protocol (HTTP). In general, a client initiates a communication process through HTTP requests. When a client desires to access any resource such as web pages, photos, and videos, the client’s browser generates an HTTP request that is sent to the web server. Depending on the request, the web server collects the requested information/content from the data storage or application servers and responds to the client’s, request with an appropriate HTTP response. If a web server cannot find the requested information, then it generates an error message. ——> ‘Application Data Store es a Static Data Response ‘Application Server Web Container Other Services Figure 13.1: Typical client-server communication in web server operation Module 13 Page 1596 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers ‘Components of a Web Server ‘Aweb server consists of the following components: Document Root The document root is one of the root file directories of the web server that stores critical HTML files related to the web pages of a domain name, which will be sent in response to requests. For example, if the requested URL is www.certifiedhacker.com and the document root is named “certroot” and is stored in the directory /admin/web, then /admin/web/certroot is the document directory address. If the complete request is www.certifiedhacker.com/P-folio/index.htm!, the server will search for the file path /admin/web/certroot/P-folio/index. htm. Server Root It is the top-level root directory under the directory tree in which the server's configuration and error, executable, and log files are stored. It consists of the code that implements the server. The server root, in general, consists of four files. One file is dedicated to the code that implements the server, while the other three are subdirectories, namely, -conf, -logs, and -cgi-bin, which are used for configuration information, logs, and executables, respectively. Virtual Document Tree A virtual document tree provides storage on a different machine or disk after the original disk becomes full. It is case-sensitive and can be used to provide object-level security In the above example under document root, for a request of www.certifiedhacker.com/P-folio/index.htmi, the server can also search for the file path /admin/web/certroot/P folio/index.html if the directory admin/web/certroot is stored in another disk. Virtual Hosting It is a technique of hosting multiple domains or websites on the same server. This technique allows the sharing of resources among various servers. It is employed in large- scale companies, in which company resources are intended to be accessed and managed globally. The following are the types of virtual hosting © Name-based hosting © Internet Protocol (IP)-based hosting © Port-based hosting Module 13 Page 15927 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiatedhacking ond Countermensues foam 31250 Ceti tie Hocker Hacking Wed Servers + Web Proxy ‘A proxy server is located between the web client and web server. Owing to the placement of web proxies, all requests from clients are passed on to the web server through the web proxies. They are used to prevent IP blocking and maintain anonymity. Open-source Web Server Architecture Open-source web server architecture typically uses Linux, Apache, MySQL, and PHP, often called the LAMP software bundle, as the principal components. The following are the functions of the principal components in open-source web server architecture: * Linuxis the operating system (0S) of the web server and provides a secure platform = Apache is the component of the web server that handles each HTTP request and response = MySQL is a relational database used to store the content and configuration information of the web server PHP is the application layer technology used to generate dynamic web content Cored Extension Figure 13.2: Functions of the principal components ofthe open-source web server architecture Ils Web Server Architecture The Internet Information Service (IIS) is @ web server application developed by Microsoft for Windows. IIS for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web. It supports HTTP, HTTP Secure (HTTPS), File Transfer Protocol (FTP), FTP Secure (FTPS), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP). Module 13 Page 1598 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers It has several components, including a protocol listener such as HTTP.sys and services such as the World Wide Web Publishing Service (WWW Service) and Windows Process Activation Service (WAS). Each component functions in application and web server roles. These functions may include listening to requests, managing processes, and reading configuration files. (——-——3r {Ler _J J [ozs — 5 Se | [ete ms sieiltow | 5 ssee |[ssor — soreee [fee Un, = meats” || Seen mcs geo | [ay 1 J ree 133:Conponen of eS web eer acter inedinitea thst at Comtemasne ppt Oy aac ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Web Server Security Issues | Attackers usualy target software vulnerabilities and configuration errors to compromise web servers |G Network and 0 level attacks can be well defended using proper network security measures such 2s firewalls, IDS, et. However, web servers can be accessed from anywhere via the Internet, which renders them highly ‘vulnerable to attacks Impact of Web Server Attacks pe ‘ripanyComponents sa © Compremise of user acounts “© Webate defacement © Secondary attacks fom the website "© Root access ts other apptiations ot © Data tampering and ta het "© reputational damage othe comeany Web Server Security Issues A web server is a hardware/software application that hosts websites and makes them accessible over the Internet. A web server, along with a browser, successfully implements client-server model architecture. In this model, the web server plays the role of the server, and the browser acts as the client. To host websites, a web server stores the web pages of websites and delivers a particular web page upon request. Each web server has a domain name and an IP address associated with that domain name. A web server can host more than one website. Any computer can act as a web server if it has specific server software (a web server program) installed and is connected to the Internet Web servers are chosen based on their capability to handle server-side programming, security characteristics, publishing, search engines, and site-building tools. Apache, Microsoft IIS, Nginx, Google, and Tomcat are some of the most widely used web server software. An attacker usually targets vulnerabilities in the software component and configuration errors to compromise web servers. Q if Website1 Internet Senin oil computer mp ‘Website 2 Figure 13.4: Conceptual diagram of a web server: the user visits websites hosted on a web server Module 3 Page 600 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Organizations can defend most network-level and OS-level attacks by adopting network security measures such as firewalls, intrusion detection systems (IDSs), and intrusion Prevention systems (IPSs) and by following security standards and guidelines. This forces attackers to turn their attention to web-server- and web-application-level attacks because a web server that hosts web applications is accessible from anywhere over the Internet. This makes web servers an attractive target. Poorly configured web servers can create vulnerabilities in even the most carefully designed firewall systems. Attackers can exploit poorly configured web servers with known vulnerabilities to compromise the security of web applications. Furthermore, web servers with known vulnerabilities can harm the security of an ‘organization. As shown in below figure, organizational security includes seven levels from stack 1 to stack 7. Custom Web Applications il, stack 7 é Business Logic Flaws Third-party Components Stack 6 9 Open Source/Commercial = Web Server La Rpache/Microsoft IS oma are rale/ysat/ms sau Operating System £Y eK: @® Windows/Linux/os x i security aT | opssws Figure 13.5: Levels of organizational security ‘Common Goals behind Web Server Hacking Attackers perform web server attacks with certain goals in mind. These goals may be either technical or non-technical. For example, attackers may breach the security of a web server and steal sensitive information for financial gains or merely for the sake of curiosity. The following are some common goals of web server attacks: = Stealing credit-card details or other sensitive credentials using phishing techniques Integrating the server into a botnet to perform denial of service (DoS) or distributed DoS (DDoS) attacks = Compromising a database = Obtai ig closed-source applications = Hiding and redirecting traffic "Escalating privileges ‘Some attacks are performed for personal reasons, rather than financial gains: "For pure curiosity ‘Module 3 Page 602 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthie Hacking and Countermeasures fam 312.50 Cee Ethical Hocker Hacking Web Servers = For completing a self-set intellectual challenge «For damaging the target organization’s reputation Dangerous Security Flaws Affecting Web Server Security A web server configured by poorly trained system administrators may have security vulnerabilities. Inadequate knowledge, negligence, laziness, and inattentiveness toward security can pose the greatest threats to web server security. The following are some common oversights that make a web server vulnerable to attacks: "Failing to update the web server with the latest patches = Using the same system administrator credentials everywhere * Allowing unrestricted internal and outbound traffic = Running unhardened applications and servers Impact of Web Server Attacks Attackers can cause various kinds of damage to an organization by attacking a web server. The following are some of the types of damage that attackers can cause to a web server. "Compromise of user accounts: Web server attacks mostly focus on compromising user accounts. if the attacker compromises a user account, they can gain a large amount of useful information. The attacker can use the compromised user account to launch further attacks on the web server. "Website defacement: Attackers can completely change the appearance of a website by replacing its original data. They deface the target website by changing the visuals and displaying different pages with messages of their own. * Secondary attacks from the website: An attacker who compromises @ web server can Use the server to launch further attacks on various websites or client systems, * Root access to other applications or server: Root access is the highest privilege level to. log in to a server, irrespective of whether the server is a dedicated, semi-dedicated, or virtual private server. Attackers can perform any action once they attain root access to the server. * Data tampering: An attacker can alter or delete the data of a web server and even replace the data with malware to compromise users who connect to the web server. "Data theft: Data are among the primary assets of an organization. Attackers can attain ‘access to sensitive data such as financial records, future plans, or the source code of a program, "Damage reputation of the company: Web server attacks may expose the personal information of a company’s customers to the public, damaging the reputation of the ‘company. Consequently, customers lose faith in the company and become afraid of sharing their personal details with the company. ‘Module 13 Pape 1602 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthic! king and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Why are Web Servers Compromised? (@ improper fi and dvecory permissions (2 Unnecessary defaut, backp, or sample les (©. condita i eb serve ping ston, tion with default settings 1 Enabingof unnecessary serves, nclading content senso cement (5 Bugs in server software, 05, and web appears 1a Security conics with buiness ease case (2 aconigured SS certeates ancl enerypion ettings 1 Lack of proper security pokes, procedures, and er rmantenance or accessle on web servers peta ihre | = vests ttn eit 1 eto accounts having default passwords oF no passwords Why are Web Servers Compromised? Ther that e are inherent security risks associated with web servers, the local area networks (LANs) host websites, and the end users who access these websites using browsers. Webmaster's perspective: From 2 webmaster's perspective, the greatest security concern is that a web server can expose the LAN or corporate intranet to threats posed by the Internet. These threats may be in the form of viruses, Trojans, attackers, or the compromise of data. Bugs in software programs are often sources of security lapses. Web servers, which are large and complex devices, also have these inherent risks. In addition, the open architecture of web servers allows arbitrary scripts to run on the server side while responding to remote requests. Any Common Gateway Interface (CGI) script installed in the web server may contain bugs that are potential security holes. Network administrator's perspective: From a network administrator's perspective, a poorly configured web server causes potential holes in the LAN's security. While the objective of the web server is to provide controlled access to the network, excess control can make the web almost impossible to use. In an intranet environment, the network administrator must configure the web server carefully so that legiti are recognized and authenticated, and groups of users are assigned distinct access privileges. End user's perspective: Usually, the end user does not perceive any immediate threat, because surfing the web appears both safe and anonymous. However, active content, such as Activex controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user’s system. In addition, active content from a website that is displayed by the user’s browser can be used as a conduit for malicious software ‘to bypass the firewall system and permeate the LAN. ‘Module 13 Pape 1603 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers The following are some oversights that can compromise a web server: Improper file and directory permissions Installing the server with default settings Unnecessary services enabled, including content management and remote administration Security conflicts with the business’ ease-of-use requirements Lack of proper security policy, procedures, and maintenance Improper authentication with external systems Default accounts with default or no passwords Unnecessary default, backup, or sample files Misconfigurations in the web server, OS, and networks Bugs in server software, OS, and web applications Misconfigured Secure Sockets Layer (SSL) certificates and encryption settings Administrative or debugging functions that are enabled or accessible on web servers Use of self-signed certificates and default certificates Module 13 Pape 602 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers Module Flow CEH e e e e Web Server Web Server ‘Web Server ‘Web Server Concepts. ‘Bitacke ‘Attack ‘Attack ‘Methodology ‘Tools Counter. Patch Web Server measures ‘Management Security ‘Tools Web Server Attacks An attacker can use many techniques to compromise a web server, such as DoS/DD0S, Domain Name System (DNS) server hijacking, DNS amplification, directory traversal, man in the middle (MITM)/sniffing, phishing, website defacement, web server misconfiguration, HTTP response splitting, web cache poisoning, Secure Shell (SSH) brute force, and web server password cracking. This section describes these attack techniques in detail. ‘Module 3 Page 1605 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers DoS/DDoS Attacks ¢ | Artackers may send numerous fake requests to the web server, which causes web server erashing or makes ‘it unavallable tothe legitimate users (© Attackers may target high profile web servers such as banks, credit card payment gateways, and government ‘owned services to steal user credentiais = —=e SS DoS/DDoS Attacks A DoS/DD0S attack involves flooding targets with copious fake requests so that the target stops functioning and becomes unavailable to legitimate users. By using a web server DoS/DDoS attack, an attacker attempts to take the web server down or make it unavailable to legitimate Users. A web server DoS/DDoS attack often targets high-profile web servers such as bank servers, credit-card payment gateways, and even root name servers. Unwanted trafic Internet ‘result service dovtine, Finan oases, and permanent ousnest ‘isbly Figure 13.6: Web server DDOS attack To crash @ web server running an application, the attacker targets the following services to consume the web server's resources with fake requests: = Network bandwidth = CPU usage * Server memory "= Hard-disk space "Application exception handling "Database space mechanism Module 13 Page 1605, Ethical Maching and Countermeasures Copwiht © by E-Councl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers DNS Server Hijacking |G Attacker compromises the ONS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to his/her own malicious server === ° me DNS Server Hijacking The Domain Name System (DNS) resolves a domain name to its corresponding IP address. A user queries the DNS server with a domain name, and the DNS server responds with the corresponding IP address. In DNS server hijacking, an attacker compromises a DNS server and changes its mapping settings to redirect toward a rogue DNS server that would redirect the user’s requests to the attacker's rogue server. Consequently, when the user enters a legitimate URL in a browser, the settings will redirect to the attacker's fake site. Redirects user request to ‘the malidous website attacker } Fake Site ‘compromises DNS oer e DNS server checks the respective DNS a ne DNS Server (Target) Users (Victim) Legitimate site Figure 13.7: DNS server hijacking Module 13 Page 1607 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers DNS Amplification Attack |G Attacker takes advantage ofthe DNS recursive method of DNS redirection to perform DNS amplification attacks \wecuron Aloud). DNS Amplification Attack (Cont'd) \@ Attacker uses compromised PCS with spoofed IP addresses to amplify the DDoS attacks on victims! DNS server by exploiting the DNS recursive method DNS Amplification Attack Recursive DNS query is a method of requesting DNS mapping. The query goes through ONS servers recursively until it fails to find the specified domain name to IP address mapping. Module 13 Page 3608 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers The following are the steps involved in processing recursive DNS requests; these steps are illustrated in the below figure © step 1: Users who desire to resolve a domain name to its corresponding IP address send a DNS query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP properties. Steps 2to7: If the requested DNS mapping does not exist on the user’s primary DNS server, the server forwards the request to the root server. The root server forwards the request to the .com namespace, where the user can find DNS mappings. This process repeats recursively until the DNS mapping is resolved. = step 8: Ultimately, when the system finds the primary DNS server for the requested DNS mapping, it generates a cache for the IP address in the user’s primary ONS server. Users Primary ONS Server (Recursion owed) Figure 13.8: Recursive DNS query Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in DDoS attacks on the victim’s DNS server. The following are the steps involved in @ DNS amplification attack; these steps are illustrated in the below figure. = Step 1: ‘The attacker instructs compromised hosts (bots) to make DNS queries in the network. © Step 2: Allthe compromised hosts spoof the victim’s IP address and send DNS query requests to the primary DNS server configured in the victim’s TCP/IP settings. ‘Module 13 Page 3602 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel Prohiatedethica Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Hacking Web Servers = Steps 3 to8: If the requested DNS mapping does not exist on the victim’s primary DNS server, the server forwards the requests to the root server. The root server forwards the request to the .com or respective top-level domain (TLD) namespaces. This process repeats recursively until the victim’s primary DNS server resolves the DNS mapping request. step 9: After the primary ONS server finds the ONS mapping for the victim's request, it sends a DNS mapping response to the victim’s IP address. This response goes to the victim because bots use the victim’s IP address. The replies to copious DNS mapping requests from the bots result in DDOS on the victim's DNS server. off Primary OS Severo Vitis Server ‘ethedheccon esi ares Figure 13.9: DNS amplification attack Module 3 Page 3610 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking ond Countermessuces ‘eam 31250 Cerfied thea ker Hacking Web Servers “ | Directory Traversal Attacks CEH (© Incirecrory traversal attacks, stackers use the. dot-dot-slash) sequence to access restricted directories outsde the webserver rot directory (© Atackrs can use the al and err method to navigate ouside the root rectory and acces senlive information the sytem ap //srvercom/sct ps/-xse. Windows! Sytoms2/emd.ene/e ssc Directory Traversal Attacks An attacker may be able to perform a directory traversal attack owing to a vulnerability in the code of a web application. In addition, poorly patched or configured web server software can make the web server vulnerable to a directory traversal attack. The design of web servers limits public access to some extent. Directory traversal is the exploitation of HTTP through which attackers can access restricted directories and execute ‘commands outside the web server's root directory by manipulating a Uniform Resource Locator (URL). In directory traversal attacks, attackers use the dot-dot-slash (../) sequence to access restricted directories outside the web server's root directory. Attackers can use the trial-and- error method to navigate outside the root directory and access sensitive information in the system. ‘An attacker exploits the web server software (web server program) to perform directory traversal attacks. The attacker usually performs this attack with the help of a browser. A web server is vulnerable to this attack if it accepts input data from a browser without proper validation Module 13 Page 1611 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiated