Hacking We b Server Defiana Arn aldy M

  • Slides: 36
Download presentation
Hacking We b Server Defiana Arn aldy, M. Si 0818 0296 4763 1

Hacking We b Server Defiana Arn aldy, M. Si 0818 0296 4763 1

Overview 0 Introduction 0 How Web Servers Work 0 Types of Web Server Vulnerabilities

Overview 0 Introduction 0 How Web Servers Work 0 Types of Web Server Vulnerabilities 0 Web Application Vulnerabilities 0 Web-Based Password-Cracking Techniques 2

Introduction 0 Web servers and web applications have a very high potential to be

Introduction 0 Web servers and web applications have a very high potential to be compromised. 0 The primary reason for this is that the systems that run web server software must be publicly available on the Internet 0 The web server cannot be completely isolated and to some degree must be available to legitimate users. 3

0 Once a web server has been compromised, the system can provide hackers with

0 Once a web server has been compromised, the system can provide hackers with another door into the network. 0 Not only the web server software but also applications that run on the web server are open to attack and can be exploited 0 Due to their function, web servers are more accessible than other systems and less protected, so they’re easier to exploit. 4

0 The target information on a web server usually resides in a database on

0 The target information on a web server usually resides in a database on the web server; this database is accessed via a web application 0 For this reason, web servers and web applications go hand in hand. 0 Compromising the web server is usually done to gain access to the underlying data in the web application. 5

How Web Servers Work 0 Web servers use Hypertext Transfer Protocol (HTTP) and Hypertext

How Web Servers Work 0 Web servers use Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) to allow web-based clients to connect to them and view and download files 0 Hypertext Markup Language (HTML) is the language used to create web pages and allows those pages to be rendered in web browser software on web clients. 6

1. The web client initially opens a connection to the web server IP address

1. The web client initially opens a connection to the web server IP address using TCP port 80. 2. The web server waits for a GET request from the client requesting the home page for the website. 3. The web server responds with the HTML code for the web server home page. 4. The client processes the HTML code and the web client’s browser software renders the page on the client device 7

Types of Web Server Vulnerabilities 0 The following vulnerabilities are most commonly exploited in

Types of Web Server Vulnerabilities 0 The following vulnerabilities are most commonly exploited in web servers: 0 Misconfiguration of the Web Server Software A common issue with using Microsoft’s Internet Information Server (IIS) as a web server is the use of the default website 0 Vulnerable Default Installation Operating system and web server software settings should not be left at their defaults when installed, and should be updated on a continuous basis. 8

0 Operating System or Application Bugs, or Flaws in Programming Code 0 All programs,

0 Operating System or Application Bugs, or Flaws in Programming Code 0 All programs, including the OS and web server applications, should be patched or updated on a regular basis. 0 For Windows systems, this includes security patches, hotfixes, and Windows Updates. 0 All of these patches can be automated or manually applied to the systems once they have been tested 9

Attacking a Web Server 0 Web servers typically listen on TCP port 80 (HTTP)

Attacking a Web Server 0 Web servers typically listen on TCP port 80 (HTTP) and TCP port 443 (HTTPS). 0 Because those ports must be open and available to web clients, any firewalls or packet filtering devices between the web client and web server must pass traffic destined for those ports 0 Web application software sits on top of the web server software and allows access to additional ports. 10

0 One of the initial information-gathering steps targeting web servers is banner grabbing. 0

0 One of the initial information-gathering steps targeting web servers is banner grabbing. 0 Banner grabbing is an attempt to gather information about a web server such as the OS and web server software and version 0 The banner grabbing result will usually identify the web server type and version. 0 This information is important because exploits against this web server type and version can be identified. 11

0 The next step after banner grabbing would be to attack the web server

0 The next step after banner grabbing would be to attack the web server or attack a web application and gain access to data on the server. 0 A benign but visible type of attack against web servers is defacement. 0 Hackers deface websites for sheer joy and an opportunity to enhance their reputations rather than gathering any useful data 12

0 Common website attacks that enable a hacker to deface a website include the

0 Common website attacks that enable a hacker to deface a website include the following: 0 Capturing administrator credentials through man-in-themiddle attacks 0 Revealing an administrator password through a brute-force attack 0 Using a DNS attack to redirect users to a different web server 0 Compromising an FTP or email server 0 Exploiting web application bugs that result in a vulnerability 0 Misconfiguring web shares 13

0 Taking advantage of weak permissions 0 Rerouting a client after a firewall or

0 Taking advantage of weak permissions 0 Rerouting a client after a firewall or router attack 0 Using SQL injection attacks (if the SQL server and web server are the same system) 0 Using telnet or Secure Shell (SSH) intrusion 0 Carrying out URL poisoning, which redirects the user to a different URL 0 Using web server extension or remote service intrusion 0 Intercepting the communication between the client and the server and changing the cookie to make the server believe that there is a user with higher privileges (applies to cookie enabled security) 14

0 Hacking Internet Information Server 0 Windows IIS is one of the most popular

0 Hacking Internet Information Server 0 Windows IIS is one of the most popular web server software products. 0 Because of the popularity and number of web servers running IIS, many attacks can be launched against IIS servers. 0 The three most common attacks against IIS are as follows: 0 Directory traversal 0 Source disclosure 0 Buffer overflow 15

0 Patch-Management Techniques 0 Patch management plays a critical role in preventing and mitigating

0 Patch-Management Techniques 0 Patch management plays a critical role in preventing and mitigating the risk of attack against web servers and web applications. 0 Patch management is the process of updating appropriate patches and hotfixes required by a system vendor. 0 Proper patch management involves choosing how patches are to be installed and verified, and testing those patches on a nonproduction network prior to installation 16

Web Server Hardening Methods 0 A web server administrator can do many things to

Web Server Hardening Methods 0 A web server administrator can do many things to harden a server (increase its security). 0 The following are ways to increase the security of the web server: 0 Rename the administrator account, and use a strong password. To rename the administrator account in Windows, open the User Manager, right-click the Administrator account, and select Rename. 0 Disable default websites and FTP sites. The process to disable default websites was described earlier in this chapter: right-click the default website in IIS Manager and choose Stop. The same process works for the default FTP site. 0 Remove unused applications from the server, such as Web. DAV. Unnecessary applications can be removed on a server by using Add/Remove Programs in the Windows Control Panel. 0 Disable directory browsing in the web server’s configuration settings. 17

Web Server Hardening Methods 0 Add a legal notice to the site to make

Web Server Hardening Methods 0 Add a legal notice to the site to make potential attackers aware of the implications of hacking the site. 0 Apply the most current patches, hotfixes, and service packs to the operating system and web server software. 0 Perform bounds checking on input for web forms and query strings to prevent buffer overflow or malicious input attacks. 0 Disable remote administration. 0 Use a script to map unused file extensions to a 404 (“File not found”) error message. 0 Enable auditing and logging. 0 Use a firewall between the web server and the Internet and allow only necessary ports (such as 80 and 443) through the firewall. 0 Replace the GET method with the POST method when sending data to a web server. 18

Web Application Vulnerabilities 0 Web applications are programs that reside on a web server

Web Application Vulnerabilities 0 Web applications are programs that reside on a web server to give the user functionality beyond just a website. 0 Database queries, webmail, discussion groups, and blogs are all examples of web applications. 19

0 A web application uses a client/server architecture, with a web browser as the

0 A web application uses a client/server architecture, with a web browser as the client and the web server acting as the application server. 0 Java. Script is a popular way to implement web applications. 0 Because web applications are widely implemented, any user with a web browser can interact with most site utilities. 20

0 The purpose of hacking a web application is to gain confidential data. 0

0 The purpose of hacking a web application is to gain confidential data. 0 Web applications are critical to the security of a system because they usually connect to a database that contains information such as identities with credit card numbers and passwords 0 Web applications are essentially another door into a system and can be exploited to compromise the system. 21

0 Hacking web applications is similar to hacking other systems. 0 Hackers follow a

0 Hacking web applications is similar to hacking other systems. 0 Hackers follow a five-step process: 0 0 they scan a network, gather information, test different attack scenarios, and Finally plan and launch an attack. 0 The steps are listed in Figure 8. 2. 22

23

23

Web Application Threats and Countermeasures 0 Many web application threats exist on a web

Web Application Threats and Countermeasures 0 Many web application threats exist on a web server. 0 The following are the most common threats and their countermeasures: 0 Cross-Site Scripting A parameter entered into a web form is processed by the web application. The correct combination of variables can result in arbitrary command execution. Countermeasure: 0 0 Validate cookies, query strings, form fields, and hidden fields. 24

0 SQL Injection Inserting SQL commands into the URL gets the database server to

0 SQL Injection Inserting SQL commands into the URL gets the database server to dump, alter, delete, or create information in the database. 0 Countermeasure: 0 Validate user variables. 25

0 Command Injection 0 The hacker inserts programming commands into a web form. 0

0 Command Injection 0 The hacker inserts programming commands into a web form. 0 Countermeasure: 0 Use language-specific libraries for the programming language. 26

0 Cookie Poisoning and Snooping 0 The hacker corrupts or steals cookies. 0 Countermeasures:

0 Cookie Poisoning and Snooping 0 The hacker corrupts or steals cookies. 0 Countermeasures: 0 Don’t store passwords in a cookie; implement cookie timeouts; and authenticate cookies. 27

0 Buffer Overflow 0 Huge amounts of data are sent to a web application

0 Buffer Overflow 0 Huge amounts of data are sent to a web application through a web form to execute commands. 0 Countermeasures: 0 Validate user input length; perform bounds checking. 28

0 Authentication Hijacking 0 The hacker steals a session once a user has authenticated.

0 Authentication Hijacking 0 The hacker steals a session once a user has authenticated. 0 Countermeasure: 0 Use SSL to encrypt traffic. 29

0 Directory Traversal/Unicode 0 The hacker browses through the folders on a system via

0 Directory Traversal/Unicode 0 The hacker browses through the folders on a system via a web browser or Windows Explorer. 0 Countermeasures: 0 Define access rights to private folders on the web server; apply patches and hotfixes. 30

Web-Based Password-Cracking Techniques 0 Authentication Types 0 Web servers and web applications support multiple

Web-Based Password-Cracking Techniques 0 Authentication Types 0 Web servers and web applications support multiple authentication types. 0 The most common is HTTP authentication. 0 There are two types of HTTP authentication: 0 Basic sends the username and password in cleartext 0 Digest hashes the credentials and uses a challengeresponse model for authentication 31

0 NTLM Authentication 0 This type uses Internet Explorer and IIS web servers, making

0 NTLM Authentication 0 This type uses Internet Explorer and IIS web servers, making NTLM more suitable for internal authentication on an intranet that uses Microsoft operating systems. Windows 2000 and 2003 servers utilize Kerberos authentication for a more secure option. 0 Certificate-Based Authentication This type uses an x. 509 certificate for public/private key technology 32

0 Token-Based Authentication 0 A token, such as Secur. ID, is a hardware device

0 Token-Based Authentication 0 A token, such as Secur. ID, is a hardware device that displays an authentication code for 60 seconds; a user uses this code to log into a network. 0 Biometric Authentication 0 This type uses a physical characteristic such as fingerprint, eye iris, or handprint to authenticate the user. 33

Password Attacks and Password Cracking 0 A password cracker is a program designed to

Password Attacks and Password Cracking 0 A password cracker is a program designed to decrypt passwords or disable password protection. 0 Password crackers rely on dictionary searches (attacks) or brute-force methods to crack passwords 0 The best password-cracking countermeasure is to implement strong passwords that are at least eight characters long (the old standard was six) and that include alphanumeric characters. 34

0 The three types of password attacks are as follows: 0 Dictionary 0 Uses

0 The three types of password attacks are as follows: 0 Dictionary 0 Uses passwords that can be found in a dictionary 0 Brute-Force 0 Guesses complex passwords that use letters, numbers, and special characters 0 Hybrid 0 Uses dictionary words with a number or special character as a substitute for a letter 35

The End … ? 36

The End … ? 36