13.

1 WEB  Web Server Security

SERVER  Web Server Architecture

 Web Server Vulnerabilities
OPERATIONS
 Focuses on the server,
rather than the web
apps
 Involves all of the
typical system hacking
techniques and
countermeasures
 Apache
 The most widely used web server in the world
 Open source
 Runs on *NIX and Windows
 Strong support community
 Microsoft Internet Information Server (IIS)
 ASP.NET integration
 All components are separate modules that can be updated
 Runs in the context of LOCAL_SYSTEM
 IIS 5.0 had many vulnerabilities
 NGINX
 Uses a very different architecture for high performance
 Web server, reverse proxy, load balancer, mail proxy and HTTP cache
 Follows a master-slave model
 Master allocates jobs
 Workers execute the jobs - response is sent to the master
 Each worker can asynchronously handle 1000 requests at a time
 Rendered pages are cached
 Distributes processes across multiple servers
 “N” tiers means you can have as many processing tiers as makes sense for your
use case
 N-Tier is normally implemented as three separate fault-tolerant servers:
 Presentation (webserver front end)
 Business Logic (application server middle tier)
 Data (database server back end)
 Presentation Business Logic Data

Browsers
Mobile Apps

Apache Apache Tomcat MySQL

NGINX Java Server Pages Oracle SQL
IIS C# app MSSQL
 Load Balanced Load Balanced / Clustered
Webserver Clustered Database Server
Application Server

Internet
 Webserver, OS, and network misconfigurations
 Bugs in the OS, web apps, logic software, and database engine
 Insufficient host hardening
 Improper authentication
 Improper permissions for files/directories
 Unchanged default accounts, settings and sample files
 Unnecessary services
 Vulnerable web apps that put the host at risk
 Conflicts with security due to business ease-of-use
 Tampering/theft of data
 Defacement of websites
 Compromised user accounts
 Root access to other apps/servers
 Secondary attacks from the website
13.2 HACKING
 Testing Web Servers
WEB SERVERS
 Attacking a web server involves the same basic steps as any other
system hacking:
1. Footprinting
2. Scanning
3. Enumeration
4. Exploitation

 Consider mirroring the website to make an offline copy that you can
probe at your convenience
 Realize that a local copy of the website might not include access to
business logic or database functionality
 OSINT information gathering:
 Internet searches
 Whois
 Acquire robots.txt to see directories/files that are hidden from web crawlers

 Web Server Footprinting

 Banner grabbing
 Tools:
 Netcraft
 HTTPRecon
 theHarvester
 ID Serve
 HTTPrint
 Copy the entire site to your own machine so you can take your time
examining it

 Tools:
 Wget
 BlackWidow
 HTTrack
 WebCopier Pro
 Web Ripper
 SurfOffline
 Banner grab
 Port and vulnerability scan
 Test HTTP methods
 Check for GET, HEAD, POST, OPTIONS, DELETE, PUT, CONNECT, TRACE
 Risky methods are DELETE, PUT, CONNECT, TRACE and should be disabled
nmap --script http-methods <target>
 List email addresses
nmap --script http-google-email
 Enumerate common web apps
nmap --script http-enum -p80
 Nmap
 Acunetix Web Vulnerability Scanner
 HP WebInspect
 Nessus
 Nikto
 Metasploit
 Use nmap scripts to discover information and vulnerabilities

 Detect vulnerable TRACE method

nmap --script http-trace -p80 localhost

 List email addresses

nmap --script http-google-email <host>

 Discover virtual hosts on the IP address you are trying to footprint; * is replaced by
online db such as IP2Hosts
nmap --script hostmap-* <host>

 Enumerate common web apps

nmap --script http-enum -p80 <host>

 Grab the robots.txt file

nmap --script http-robots.txt -p 80 <host>
 Attempt to identify website
sub-directories and files
 These objects can exist
without obvious navigation
to them
 They often contain
sensitive information
 Tools:
 DirBuster
 Google Dorks
 Sitechecker.pro
 URL Fuzzer
 13.3
COMMON WEB  Common Attacks

SERVER ATTACKS
• Password Cracking • TLS Downgrade / MITM
• DNS Server Hijacking • Directory Traversal
• Misconfiguration Attacks • Shellshock
• Web Cache Poisoning • Heartbleed
• Web Page Defacement • POODLE
• DoS/DDoS • DROWN
 Website passwords are often exempt from normal lockout policies
 Password cracking techniques include:
 Bruteforce attack
 Dictionary attack
 Password Guessing

 Password cracking tools include:

 THC-Hydra
 Brutus
 Medusa
 No intruder lockout after a certain number of failed attempts
 Intruder lockout time that's too short
 Allowing simultaneous logins from the same or multiple hosts
 Transmitting login traffic via HTTP instead of HTTPS
• Does not compromise the web server itself
• Instead changes the web server’s DNS A record
• DNS then misdirects users to a malicious site

• Attacker modifies the web server’s A record by:

• Pretending to be a primary DNS server providing a zone transfer to a secondary server
• Pretending to be the web server performing a dynamic DNS update of its own record
• Corrupting the saved lookups on a caching-only DNS server
• A number of exploits take advantage of web server misconfiguration including:
• Unnecessary features
• Default accounts
• Weak passwords
• Error messages that reveal sensitive information
• Lack of updates and patching
• Incorrect permissions

 Ancillary services such as SMTP and FTP can also put a web server at risk
 These are often extended features of the website
 They need their own hardening and proper configuration

 A misconfigured operating system or insecure physical environment can also make

the web server vulnerable
 Coding errors in web apps provide another vector for attack
 Replace website cached content with malicious content
 Replacing authorized content with something else
 Vulnerable web apps and improper file system permissions are the most common
cause
 Any attack that makes the web server unavailable
 Can include:
 Network bandwidth consumption
 Resource consumption
 Amplification attacks
 Use a Man-in-the-Middle attack to force the client to downgrade its connection
security to the web server:
 TLS  SSL
 HTTPS  HTTP

I can’t do HTTPS HTTPS

OK then HTTP Sure thing

 Escaping web content directory to access other operating system directories
 Shellshock is a bug in the Linux Bash command-line interface shell
 Causes Bash to unintentionally execute commands when commands are
concatenated on the end of function definitions
 A vulnerable version of Bash can be exploited to execute commands with higher
privileges
 This allows attackers to potentially take over that system.
 Shellshock is a simple and inexpensive attack that bad actors can deploy against
an unknowing target
 It affected many Internet-facing services including those on Linux, UNIX, and OS X
 It did not directly affect Windows
 This command is attempting to display the contents of /etc/passwd to the
command prompt

env x=’(){ :;};echo exploit’ bash –c ‘cat/etc/passwd’

 Exploits a flaw in the OpenSSL implementation of TLS
 SSL includes a heartbeat option
 Allows a computer at one end of an SSL connection to send a
short message to verify that the other computer is still
online and get a response back
 It is possible to send a malicious heartbeat message
 Tricks the computer at the other end into divulging content
from its memory
 Leaked information can include private keys, secret keys,
passwords, credit card numbers, etc.
 Padding Oracle On Downgraded Legacy
Encryption
 POODLE attacks make use of web browser and
server fallback to SSLv3
 Happens if negotiating a TLS session fails
 An attacker can “force” TLS negotiation to fail

 POODLE Steps:
 Attacker inserts themselves as MITM between
client and server
 Forces a downgrade of TLS to SSLv3
 Then if the cipher suite uses RC4 or Block cipher
in CBC mode:
 Attacker can retrieve partial bytes of encrypted text
and later on can get full plain text
 Decrypting RSA with Obsolete and Weakened eNcryption
 Exists due to the inclusion of 40-bit encryption in SSLv2
 Vulnerability requirements:
 The server must allow both SSLv2 and TLS connections
 The server’s private key must be used on any other server that facilitates SSLv2
connections
 Attack steps:
 The attacker must capture both the initial RSA handshake and the encrypted TLS traffic
 The attacker repeatedly modifies the handshake, sending thousands of these messages to
an SSLv2-capable server
 Each response from the server to the attacker yields partial key material
 It takes about 1000 handshakes to capture a recoverable key
 Once the session key is recovered, the captured TLS traffic can then be decrypted.
 Baba Hakka sez: “Use
Amazon EC2 to speed up
yer attack!”
 13.4
WEBSERVER  Common Attack Tools

ATTACK TOOLS
 Brutus, THC Hydra, Medusa
 Brute force network-based password crackers

 Metasploit
 Open source hacker framework with many exploits and payloads
 You can search for “apache”, “iis”, “nginx”, “poodle”, “shellshock”, etc.
 Installed by default in Kali Linux
 Can also be downloaded and installed in other Linux distributions
 Metasploit Pro (commercial version) can be installed on Windows

• SearchSploit
• A command line search and download tool for Exploit-DB
• Installed by default in Kali Linux
• Exploits are written in C, Python, Perl, Ruby, etc.
• Contains many exploits that are not in Metasploit
• Update your local copy of the database: searchsploit -u
• WFETCH
• Microsoft tool to customize and send HTTP requests

 Low Orbit Ion Cannon (LOIC)

 Floods a target server with TCP, UDP, or HTTP packets

 High Orbit Ion Cannon (HOIC)

 Floods target systems with junk HTTP GET and POST requests

 HULK
 Attacks web servers by generating unique and obfuscated volumes of traffic
 Bypasses caching engines, directly hitting the server's resource pool
 13.5
HACKING WEB  General Webserver Defense

SERVERS  Protect Apache

 Protect IIS
COUNTER-  Protect NGINX

MEASURES
 Set file system permissions on all directories and content
 Require HSTS on the webserver
 Keep all related services and components patched and up-to-date
 Harden the operating system and network infrastructure
 Remove unnecessary services and features, and change defaults
 Move other network services to other hosts

 Ensure restricted access to configuration files including registry settings

 Relocate all websites/virtual directories to non-system partitions
 Restrict access using web server and file system permissions.
 Ensure all incoming traffic requests are screened/filtered with a firewall and WAF
 Implement NIDS in the DMZ and private webservice-related VLANs
 Implement HIDS and host firewalls on all systems
 Disable serving directory listings
 Get rid of unnecessary .jar and non-web files
 Use byte code to eliminate configuration information that is sensitive
 Remove unnecessary script mappings for files extensions that are optional.
 Physically separate the web front end, application layer, and database layer onto
separate servers
 Only put the web front end in the DMZ
 Implement a transport mode IPSEC VPN between:
 The web front end and the application server
 The application server and the database server

 Implement fault tolerance and redundancy:

 Load balance the web server
 Cluster the application server
 Cluster the database server

 Run your own vulnerability scans and remediate any findings.

 Enable minimum auditing level on webserver and protect log files using file
system permissions
 Forward logs to a syslog server
 Use SIEM to track and analyze trends
 Ensure the server certificate is current and issued by a reputable certification
authority
 Ensure that the web service, application service, and database service use
different accounts
 Configure a separate anonymous user account for each app when hosting more
than one web app.
 Nikto
 Open source web server and web application scanner
 Performs comprehensive tests for multiple security threats including
 Dangerous files/programs
 Outdated web server software
 Version-specific problems

 Online website vulnerability scanners:

 SUCURI
 Qualsys
 Quttera
 Intruder.
 Update LAMP components to the latest version
sudo apt-get update
sudo apt-get upgrade
 Discover and disable unnecessary modules running on the server
sudo ls /etc/apache2/mods-enabled
sudo a2dismod module_name
 Check the log for suspicious requests and hacking attempts
/var/log/httpd/access_log
 Ensure that Apache and SQL use different, non-root user accounts
 Configure /etc/apache2/apache2.conf:
 Disable ServerSignature and ServerTokens directives
 Disable Server Directory Listings
 Protect system settings by disabling the .htaccess directive
 Defend against a slowloris DoS attack by reducing the connection timeout value
 Limit HTTP/HTTPS requests per directory.
  Use UrlScan to screen/filter incoming requests based on rules set by admin
 Machine.config
 Make sure to map protected resources to HttpForbiddenHandler
 Remove unused HttpModules
 Disable tracing (<trace enable="false"/>)
 Turn off debug compiles

 Check the log for suspicious requests and hacking attempts:

 %SystemDrive%\inetpub\logs\LogFiles

 Remove unnecessary ISAPI extensions and filters.

ISAPI filters provide Web servers such as IIS the ability to preprocess or postprocess information
sent between client and server. They are used for such tasks as custom authentication, encryption,
and compression schemes or for updating logging statistics on the Web server
 Keep NGINX and PHP updated to avoid these well-known NGINX vulnerabilities:
 SPDY heap buffer overflow
 Allows the attacker to execute arbitrary code through a crafted request
 SPDY = Google protocol to accelerate web content delivery
 Root Privilege Escalation Vulnerability
 Can lead to the creation of log directories with insecure permissions
 Remote Integer Overflow Vulnerability
 A Boundary Condition Error type that grants access to sensitive information
 NGINX Controller vulnerability
 Allows creation of unprivileged user accounts
 PHP 7 Remote Code Execution Vulnerability
 Can lead to information disclosure or unauthorized modification.
1. You just discovered several unknown files in the root directory of your Linux FTP
server:
 A tarball, two shell script files, and a binary file named “nc”

2. The FTP server’s access logs show that the anonymous user account:
 logged in to the server
 uploaded the files
 extracted the contents of the tarball
 ran the script using a function provided by the FTP server’s software
3. The “ps” command shows that the “nc” file is running as process
4. The netstat command shows the “nc” process is listening on a network port
5. What kind of vulnerability must be present to make this remote attack possible?
6. File system did not have proper permissions
7. The anonymous user must have had write permissions to the FTP directory
8. Perform a review of all permissions to the FTP directory.
13.6 HACKING
WEB SERVERS  Review

REVIEW
 INTRO TO
 Use a multi-layered approach when attacking or defending a web server



ETHICAL
Webservers are vulnerable to attacks against:
The operating system
The web service

 HACKING
Web apps
Other vulnerable network services running on the same server

REVIEW
 Supporting network services like DNS
 Client applications

 Common attacks include: • Misconfiguration Attacks

 DoS/DDoS
• Web Cache Poisoning
 Password cracking
 HTTP Response splitting • TLS Downgrade / MITM
 Session hijacking • Shellshock
 Brute forcing • Heartbleed
 Defacement • POODLE
 Directory traversal • DROWN.