Certified Ethical Hacker

Lesson 5
Web Server Hacking, Web
Applications, and Database
Attacks
Lesson 6
Objectives

After reading this lesson you will be able to:

 Identify the components of a web infrastructure
 Explain how to scan web servers
 Know how to identify web server vulnerabilities
 Explain how web application hacking works
 Describe web-based authentication
 Describe web-based password cracking
techniques
 Be familiar with SQL vulnerabilities
Web Server Hacking
 Web Server Hacking cont.

 HTML and HTTP are the standards that originally

defined web architecture.
 HTTP has four stages.
 Web attacks focus on
– Scanning
– Banner grabbing
– Attacking the web server
– Surveying the application
– Attacking authentication
– Exploiting the database
 Scanning Web Server

 Common ports:
– 80 – HTTP
– 88 – Kerberos
– 8080 – Squid
– 8888 – Alternative web server
 Scanning tools:
– ID Serve
– ScanLine
– Super Scan
– Nmap
 Using Nmap Scripts
 The -sC option enables the most common scripts, while running the –script option
enables you to specify the script. The –script option also takes comma-separated
values as arguments. The arguments specify which scripts will be executed upon
starting Nmap . Several examples are show here:
– nmap sV -O -p IP_address
– nmap -sV --script=http-enum IP_address
– nmap IP_address -p 80 --script = http-frontpage-login
– nmap --script http-passwd -- script-args http-passwd.root =/ IP_address
 Banner Grabbing and
Enumeration
 Attacker tried to get additional information about the servers and
components.
 Popular web servers:
– IIS web server
– Apache web server
– Sun ONE web server
 Tools for enumeration and banner grabbing:
– Netcraft
– Telnet
– Netcat
– Wikto
– Black Widow
– Teleport Pro
– Wget
 Web Server Vulnerability
Identification
 Perform this step after the vendor and version of the
web server is identified.
 Check sites that list known vulnerabilities:
– www.securityfocus.com
– www.packetstormsecurity.org
– http://nvd.nist.gov
– http://exploitdg.com
 Attacks Against Web Servers
 IIS Vulnerabilities:
– Buffer overflow attacks:
• ISAPI DLL Buffer overflow attack:
– Discovered June 2001
– Affects Windows NT and 2000
– Targets idq.dll – runs as system and the attacker can escalate and add himself to the
Administrator group
• IPP Printer Overflow attack:
– Discovered 2001
– Affects Windows 2000 running IIS 5.0
• Metaspoil can be used to launch buffer overflow attacks
– Source disclosure attacks:
• Can be used to uncover passwords, web design, or business logic
• +.htr exploit
– File system traversal attacks:
• Unicode input validation attack
– DNS amplification attack
• Reflect large amounts of DNS traffic
DNS Amplification
 Securing IIS

 Harden before deploying.

 Patch management:
– Use automated patch management tools:
• Windows Server Update Services
• Microsoft HotFix Checker
• GFI LANguard
 Disable unneeded services:
– Microsoft Baseline Security Analyzer
– IIS Lockdown
– SOAPUI
– Retina
 Lock down the file system:
– Use NTFS and enable file level security and encryption.
 Enable logging and auditing.
 Web Application Attacks

 Invalidated input
– Input from client is not validated before processing.
 Parameter/form tampering
– Manipulation of the parameters passed between client and web
application
 Injection flaws
– Allows for untrusted data to be executed as valid
– SQL injection
– Command injection
– File injection
– LPAD injection
– XML injection
 Web Application Attacks cont.

 Cross site scripting (XSS) and cross site request

forgery attack
– Gained popularity in recent years
– Depend on input that is not properly sanitized
 Cross site request forgery (CSRF)
 Hidden fields attack
– The attacker can modify hidden fields following
these three steps:
• Save page locally and open source code.
• Modify the amount and save the page.
• Refresh the local HTML page and click Add to Cart.
Cross-site Request Forgery
 Input Validation
 Other security issues directly related to a lack of input validation include
– DoS: Any technique used to target availability in any way. For example, the
attacker might create a program to submit registration forms repeatedly until
all resources are exhausted.
– Session fixation: The attacker tricks the user into accessing a web server
using an explicated session ID value. This can be accomplished via a
clientside script, HTTP header response, or <META> tag.
• An example of the URL sent to the victim would appear as follows; notice
how the sessionid is passed: http://knowthetrade.com/<meta http-
equiv=Set-Cookie content="sessionid=abc123">
– Direct OS commands: The unauthorized execution of OS commands.
– SOAP injection: The attacker injects malicious query strings in user input
fields to bypass web services authentication.
 Web-Based Authentication

 Four common types of authentication:

– Basic:
• Uses exclusive ORing (XOR)
• Weak form of encryption that can be compromised easily
– Message digest:
• Uses MD5 algorithm
– Certificate-based:
• Uses public key cryptography
– Forms-based:
• Uses cookies
 Web-Based Password Cracking

 Three basic types of password attacks:

– Dictionary:
• Uses a dictionary list to crack the password
• Fast but successful only if a dictionary word were used as the password
– Hybrid:
• Uses a dictionary file but adds numbers or symbols to the dictionary words
– Brute force:
• Tries to crack the password by using every possible combination of
characters specified by the user
• Time-consuming
 Password cracking tools:
– WebCracker
– Brutus
– THC Hydra
 Cookies

 Store information about user preference, usernames

and passwords, cart content, and so on.
 Tools to view cookies:
– CookieSpy
– Cookie Digger
 URL Obfuscation

 Hiding addresses in URLs to bypass filters or other

defenses that block specific IP addresses
 Encodes the data so it cannot be easily viewed
 Common encoding schemes
– Hex
– HTML
– Base64
– Unicode
 Intercepting Web Traffic

 Web Proxies:
– Allow attackers to attack and debug web
applications.
– Act as man-in–the–middle.
– Burp Proxy.
– Paros Proxy.
– OWASP ZAP.
OWASP ZAP
 Database Overview

 Database types:
– Hierarchical database management systems
– Network database management systems
– Relational database management systems
– Object-oriented database management systems
 Identifying SQL Servers

 Popular databases and ports:

– Oracle Net Listener – port 1579
– Microsoft SQL – port 1433
– MySQL – port 3306
 SQL injection:
– The attacker takes advantage of insecure code and
sends his SQL statements to the database.
– One of the most common attacks.
 SQL Injection Vulnerabilities and
Hacking Tools
 Simple SQL injection
– Nonvalidated input
– Poor coding practices
 UNION SQL injection
– Uses the UNION command
 Error-based SQL injection
– Uses poorly constructed SQL statement to get error messages and table
names
 Blind SQL injection
– Unpatched systems
 Tools:
– SQLDict
– SQLExec
– SQLbf
– BSQL Hacker
– SQL2.exe
Lesson 5
Summary
 Explain web architecture.
 Know the tools used to scan web servers.
 Explain how to perform banner grabbing and
enumeration.
 Identify web servers vulnerabilities.
 Describe attacks against web servers.
 Describe common authentication types.
 Describe databases and SQL injection attacks.