Post on 04-Jun-2018
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
1/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
2/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Hacking WebserversModule 12
Engineered by Hackers. Presented by Professionals.
E t h ic a l H a c k in g a n d C o u n t e rm e a s u r e s v8
Mo du le 12: Hacking WebserversExam 312-50
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1601
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
3/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claims Responsibility
Monday, September 10th, 2012
Final update: GoDaddy is up, and claims that the outage was due to internal errors
and not a DD0S attack.
According to many customers, sites hosted by major web host and domain registrar
GoDaddy are down. According to the official GoDaddy Twitter account the company is
aware of the issue and is working to resolve it.
Update: customers are comp laining that GoDaddy hosted e-mail accounts are down as
well, along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming
responsibility, and makes it clear this is not an Anonymous collective action.
A tipster tells us tha t the technical reason for the failure is being caused by the
inaccessibility of GoDaddy's DNS servers specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
http:/ / techcrunch.com
Copyright byEG-G*ancil.All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
GoD addy Outage Ta kes Down Millions of Sites,Anonymous M em ber C laim s R esponsibili ty
Nnus
Source: http://techcrunch.com
Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a
DD0 S attack.
According to many customers, sites hosted by major web host and domain registrar GoDaddy
are down. According to the official GoDaddy Twitter account, the company is aware of the
issue and is working to resolve it.
Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well,
along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and
makes it clear this is not an Anonymous collective action.
A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of
GoDaddy's DNS servers - specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
and CNS3.SECURESERVER.NET are failing to resolve.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1602
http://techcrunch.com/http://techcrunch.com/http://techcrunch.com/http://techcrunch.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
4/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
AnonymousOwn3rs bio reads "Security leader of #Anonymous (Official member")." Theindividual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was
targeted.
Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the
service, and the company has been the center of a few other controversies. However,
AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did
this attack."
Copyright 2012 AOL Inc.
By Klint Finley
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1603
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
5/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Module Objectives CUrt1fW4
EHttlMUl ttMhM
J IIS Webserver Architecture J Countermeasures
J Why Web Servers are Compromised? J How to Defend Against Web Server
J Impact of Webserver AttacksAttacks
J Webserver AttacksJ Patch Management
J Webserver Attack Methodology /L ^ J Patch Management ToolsJ Webserver Attack Tools J Webserver Security Tools
J Metasploit Architecture J Webserver Pen Testing Tools
J Web Password Cracking Tools J Webserver Pen Testing
Copyright by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
^ M o d ule O b je ctiv es
*> Often, a breach in security causes more damage in terms of goodwill than in actual
quantifiable loss. This makes web server security critical to the normal functioning of an
organization. Most organizations consider their web presence to be an extension ofthemselves. This module attempts to highlight the various security concerns in the context of
webservers. After finishing this module, you will able to understand a web server and its
architecture, how the attacker hacks it, what the different types attacks that attacker can carry
out on the web servers are, tools used in web server hacking, etc. Exploring web server security
is a vast domain and to delve into the finer details of the discussion is beyond the scope of this
module. This module makes you familiarize with:
e IIS Web Server Architecture e Countermeasures
e Why Web Servers Are Compromised? e How to Defend Against Web
e Impact of Webserver AttacksServer Attacks
e Webserver Attackse Patch Management
e Webserver Attack Methodology0 Patch Management Tools
Q Webserver Attack Toolse Webserver Security Tools
e Metasploit Architecturee Webserver Pen Testing Tools
e Web Password Cracking Tools e Webserver Pen Testing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1604
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
6/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHModule Flow
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
To understand hacking web servers, first you should know what a web server is, how
it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts.
4 m ) Webserver Concepts Webserver Attacks------
Attack Methodology * Webserver Attack Tools
Webserver Pen Testing Webserver Security Tools
y Patch Management Counter-measures
This section gives you brief overview of the web server and its architecture. It will also explain
common reasons or mistakes made that encourage attackers to hack a web server and become
successful in that. This section also describes the impact of attacks on the web server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1605
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
7/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Webserver Market Shares
I_______
I_______
I________I_______ I________I
64.6%Apache
Microsoft - IIS
LiteSpeed I 1.7%
Google Server | 1.2%
W e b S e rv e r M a r k e t S h a re s
Source: http://w3techs.com
The following statistics shows the percentages of websites using various web servers. From the
statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that
Microsoft IIS server is used by 17.4 % of users.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1606
http://w3techs.com/http://w3techs.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
8/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
J -----80%
64.6%t
Apache
17.4%Microsoft IIS
%13Nginx
LiteSpeed
Google Server
Tomcat
Lighttpd
7050 604010 20 30
FIGURE 12.1: Web Server Market Shares
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1607
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
9/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Open Source W ebserver C E HArchitecture
I
AttacksSite Admin
r
MySQLi fCompiled Extension
Site Users
:11 a
Linux
1 I * I......... Apache
PHP
File System
^Applications
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
O p e n S o u r ce W e b S e r v e r A r c h i te c t u r e
The diagram bellow illustrates the basic components of open source web serverB
architecture.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1608
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
10/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Attacks
1 U
Site Admin
Site Users
& *A
Internet
Linux
EmailApache
VPHP
File System
J
f
Compiled Extension MySQL yApplications
"
FIGURE 12.2: Open Source Web Server Architecture
Where,
Linux - the server's operating system
Apache - the web server component
MySQL - a relational database
PHP - the application layer
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1609
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
11/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
IIS Web Server Architecture CIE H
Internet InformationServices (IIS) for Windows
Server is a flexible, secure,
and easy-to-manage web
server for hosting anything
on the web
HTTP Protocol
Stack (HTTP.SYS)
AppDomain
Managed
Modules
Forms
Authentication
Native Modules
Anonymous
authentication,
managed engine, IIS
certificate mapping,static file, default
document, HTTP cache,
HTTP errors, and HTTP
logging
Application Pool
Web Server Core
Begin request processing,
authentication,
authorization, cache
resolution, handlermapping, handler pre-
execution, release state,
update cache, update
log, and end request
processing
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Client
i * a f t p
Kernel Mode
User Mode :
Svchost.exe +
Windows Activation Service_________ (WAS)__________
WWW Service
External Apps
application
Host.config
IIS W e b S e r v e r A r c h i te c t u r e---------------------------------------3
c 3 IIS, also known as Internet Information Service, is a web server application developed
by Microsoft that can be used with Microsoft Windows. This is the second largest web afterApache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP,
HTTPS, FTP, FTPS, SMTP, and NNTP.
The diagram that follows illustrates the basic components of IIS web server architecture:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1610
http://http.sys/http://http.sys/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
12/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Client
HTTP Protocol
Stack (HTTP.SYSIInternet
AppDomain
Managed
Modules
FormsAuthentication
Native Modules
Anonymous
authentication,
Managed engine, IIS
certificate mapping,
static file, default
document, HTTP cache,
HTTP errors, and HTTP
logging
Kernel Mode
Application Pool
Web Server Core
Begin requestprocessing/
authentication,
authorization, cache
resolution, handler
mapping, handle r pre*
execution, release state,
update cache, update
log, and end request
processing
User Mode
Svchost.exe
Windows Activation Service
( W A S )
WWW Service
application
Host.config
FIGURE 12.3: IIS Web Server Architecture
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1611
http://http.sysi/http://http.sysi/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
13/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHWebsite Defacement
FieMl few Hep
* * W http://juggyboy.com/index.aspx v ^ j_>
Y o u a r e O W N E D ! ! ! ! ! ! !
H A C K E D !
Hi Master, Your website ow ned
by US, Hacker!
Next target - microsoft.com
J Web defacement occurs when
an intruder maliciously alters
visual appearance of a web
page by inserting or
substituting provocative and
frequently offending data
J Defaced pages exposes visitors
to some propaganda or
misleading information until
the unauthorized change is
discovered and corrected
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ebsite D efacem ent
Website defacement is a process of changing the content of a website or web page
by hackers. Hackers break into the web servers and will alter the hosted website by creatingsomething new.
Web defacement occurs when an intruder maliciously alters the visual appearance of a web
page by inserting or substituting provocative and frequently offensive data. Defaced pages
expose visitors to propaganda or misleading information until the unauthorized change is
discovered and corrected.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1612
http://juggyboy.com/index.aspxhttp://juggyboy.com/index.aspx8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
14/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
15/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Unnecessary default, backup, or
sample files
Installing the server w ith default
settings
Improper file and
directory permissions
Security conflicts with business ease-of-
use case
Default accounts with their default or no
passwords
Misconfigurations in web server, operating systems,
and networks
Security flaws in the serv er software, OS and
applications
Lack of proper security policy, procedures, and
maintenance
Misconfigured SSL certificates and encryption
settings
Bugs in server software, OS, and
web applications
Improper authentication with external
systems
Use of self-signed certificates and
default certificates
Unnecessary services en abled, including content
management and remote administration
Administrative or debugging functions that are
enabled or accessible
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W h y W e b S e rv e rs A re C o m p r o m is e d
There are inherent security risks associated with web servers, the local area networks
that host web sites and users who access these websites using browsers.
0 Webmaster's Concern: From a webmaster's perspective, the biggest security concern is
that the web server can expose the local area network (LAN) or the corporate intranet
to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers,
or the compromise of information itself. Software bugs present in large complex
programs are often considered the source of imminent security lapses. However, web
servers that are large complex devices and also come with these inherent risks. In
addition, the open architecture of the web servers allows arbitrary scripts to run on the
server side while replying to the remote requests. Any CGI script installed at the site
may contain bugs that are potential security holes.
Q Network Administrator's Concern: From a network administrator's perspective, a
poorly configured web server poses another potential hole in the local network's
security. While the objective of a web is to provide controlled access to the network, too
much of control can make a web almost impossible to use. In an intranet environment,
the network administrator has to be careful about configuring the web server, so that
the legitimate users are recognized and authenticated, and various groups of users
assigned distinct access privileges.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1614
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
16/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
6 End User's Concern: Usually, the end user does not perceive any immediate threat, as
surfing the web appears both safe and anonymous. However, active content, such as
ActiveX controls and Java applets, make it possible for harmful applications, such as
viruses, to invade the user's system. Besides, active content from a website browser can
be a conduit for malicious software to bypass the firewall system and permeate the
local area network.
The table that follows shows the causes and consequences of web server compromises:
Cause Consequence
Installing the server with default
settings
Unnecessary default, backup, or sample files
Improper file and directory permissions Security conflicts with business ease-of-use
case
Default accounts with their default
passwords
Misconfigurations in web server, operating
systems and networks
Unpatched security flaws in the server
software, OS, and applications
Lack of proper security policy, procedures,
and maintenance
Misconfigured SSL certificates and
encryption settings
Bugs in server software, OS, and web
applications
Use of self-signed certificates and
default certificates
Improper authentication with external
systems
Unnecessary services enabled, including
content management and remote
administration
Administrative or debugging functions that
are enabled or accessible
TABBLE 12.1: causes and consequences of web server compromises
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1615
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
17/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Impact of Webserver Attacks CEHCrt1fW4 itfciul NmIm
Website defacement
Root access to other
applications or servers
Data tampering
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
I m p a c t o f W e b S e rv e r A tta c k s
Attackers can cause various kinds of damage to an organization by attacking a web
server. The damage includes:
0 Compromise of user accounts: Web server attacks are mostly concentrated on user
account compromise. If the attacker is able to compromise a user account, then the
attacker can gain a lot of useful information. Attacker can use the compromised user
account to launch further attacks on the web server.
0 Data tampering: Attacker can alter or delete the data. He or she can even replace the
data with malware so that whoever connects to the web server also becomes
compromised.
0 Website defacement: Hackers completely change the outlook of the website by
replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own.
0 Secondary attacks from the website: Once the attacker compromises a web server, he
or she can use the server to launch further attacks on various websites or client systems.
0 Data theft: Data is one of the main assets of the company. Attackers can get access to
sensitive data of the company like source code of a particular program.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1616
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
18/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
0 Root access to other applications or server: Root access is the highest privilege one gets
to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server.
Attackers can perform any action once they get root access to the source.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1617
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
19/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHModule Flow
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
Considering that you became familiar with the web server concepts, we move forward
to the possible attacks on web server. Each and every action on online is performed with thehelp of web server. Hence, it is considered as the critical source of an organization. This is the
same reason for which attackers are targeting web server. There are many attack technique
used by the attacker to compromise web server. Now we will discuss about those attack
techniques.
attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking,
web application attacks, etc.
Webserver Concepts Webserver Attacks
^ Attack Methodology ^ Webserver Attack Tools
Webserver Pen Testing J 3 Webserver Security Tools
-y Patch Management Counter-measures
Module 12Page 1618 Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
20/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Web Server Misconfiguration CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can beexploited to launch various attacks on web servers such as directory traversal, server intrusion,
and data theft
Remote Administration
Functions
Unnecessary Services
Enabled
Verbose debug/error
Anonymous or Default
Users/Passwords
Misconfigured/Default
SSL Certificates
Sample Configuration,
and Script Files
Copyright byEG-Gtlincil.All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e rv e r M is c o n f ig u r a tio n
Web servers have various vulnerabilities related to configuration, applications, files,
scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the
network of a company. These loopholes of the server can help attackers to bypass user
authentication. Server misconfiguration refers to configuration weaknesses in web
infrastructure that can be exploited to launch various attacks on web servers such as directory
traversal, server intrusion, and data theft. Once detected, these problems can be easily
exploited and result in the total compromise of a website.
e Remote administration functions can be a source for breaking down the server for the
attacker.
Some unnecessary services enabled are also vulnerable to hacking.
0 Misconfigured/default SSL certificates.
Verbose debug/error messages.
Q Anonymous or default users/passwords.
Sample configuration and script files.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1619
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
21/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHWeb Server MisconfigurationExample
httpd.conf file on an Apache server
SetHandler server-status
This configuration allows anyone to view the server status page, which contains detailed inform ation about
the curren t use of the web server, including informa tion a bout the curren t hosts and requests being processed
php.ini file
display_error = On
log_errors = On
error_log = syslog
ignore repeated errors = Off
This configuration gives verbose error messages
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
f I W e b S e rv e r M is c o n f ig u r a t io n E x a m p leran n
L 1 : J Consider the httpd.conf file on an Apache server.
SetHandler server-status
FIGURE 12.5: httpd.conf file on an Apache server
This configuration allows anyone to view the server status page that contains detailed
information about the current use of the web server, including information about the current
hosts and requests being processed.
Consider another example, the php.ini file.
display_error = On
log_errors - On
error_log = syslog
ignore repeated errors = Off
FIGURE 12.6: php.inifile on an Apache server
This configuration gives verbose error messages.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1620
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
22/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
3 j My Computer
+1 3Vbfloppy (A:)/ LocalDt>k((
I B Ctocumcnte and Scttngs
!H t J Inetpub
Volume in drive C has no label.Volume Serial Number is D45E-9FEE
http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:\
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
D ir e c to r y T r a v e r s a l A tta c k s
Web servers are designed in such a way that the public access is limited to some
extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by
manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the
root directory and access sensitive information in the system.
E Q-j!v!v!Tff xl
company
downloads1
E O imagesO news
scripts
C J support
Volume in drive C has no label.
Volume Serial Number is D45E-9FEE
1,024 .rnd
0 123. text
0 AUTOEXEC.BAT
CATALINA_HOME
0 CONFIG.SYS
Documents and Settings
Downloads
Intel
Program Files
Snort
WINDOWS
569,344 WlnDump.exe
368 bytes
,115,200 bytes free
Directory of C:\
06/02/2010 11:31AM
09/28/2010 06:43 PM
05/21/2010 03:10 PM
09/27/2010 08:54 PM
05/21/2010 03:10 PM
08/11/2010 09:16 AM
09/25/2010 05:25 PM
08/07/2010 03:38 PM
09/27/2010 09:36 PM
05/26/2010 02:36 AM
09/28/2010 09:50 AM
09/25/2010 02:03 PM
7 File(s) 570,
13 Dir( s) 13,432
http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:\
F I G U R E 1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1621
http://server.eom/shttp://server.eom/shttp://server.eom/shttp://server.eom/s8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
23/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
HTTP Resp on se Splitting Attack C E H(ttlfwtf itkNjI NMhM
Input =Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
Input =JasonTh eHacker\r\n HTTP/ l.l 200 OK\r\n
First Response (Controlled by Attacker)
Set-Cookle: author=JasonTheHacker
HTTP/1.1200 OK
Second Response
HTTP/1.1 200 OK
y
HTTP response splitting attack involves addingheader response data into the input field so
that the server split the response into two
responses
The attacker can control the first response to
redirect user to a malicious website whereas
the other responses will be discarded by web
browser
String author =request.getParameter(AUTHOR_PARAM) ;
Cookie cookie = newCookie("author , author);cookie.setMaxAge(cookieExpiration) ;response.addCookie(cookie);
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
H T T P R e s p o n s e S p l it t in g A tta c k
An HTTP response attack is a web-based attack where a server is tricked by injecting
new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS) Cross SiteRequest Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks.
The attacker alters a single request to appear and be processed by the web server as two
requests. The web server in turn responds to each request. This is accomplished by adding
header response data into the input field. An attacker passes malicious data to a vulnerable
application, and the application includes the data in an HTTP response header. The attacker can
control the first response to redirect the user to a malicious website, whereas the other
responses will be discarded by web browser.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1622
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
24/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Input =Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
Input =JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
First Response (Controlled by Attacker)
Set-Cookie; author=JasonTheHacker
HTTP/1.1 200 OK
Second Response
HTTP/1.1200 OK
String author =request.getParameter(AUTHOR_PARAM) ;
Cookie cookie = newCookie("author", author);cookie.setMaxAge(cookieExpiration) ;response.addCookie(cookie);
o
Si05
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
25/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Web Cache Poisoning Attack CEH
h t tp : / /www.juggyboy .com/wel
come.php?lang=
An attacker forces the
web server's cache to
flush its actual cache
content and sends a
specially crafted
request, which will be
stored in cache
Original Juggyboy page
Attacker sends request to remove page from cache
Normal response afterclearing the cache for juggyboy.com
Attacker sends malicious requestthat generates two responses (4 and 6)
Attacker gets first server response
Attacker requests d juggyboy.com
again to generate cache en try
The second
response of
request [3that points to
I attacker's page
Attacker gets the second
Address Page
www.jujjyboy.com Attacker's page
Poisoned Server Cache
GEThttp://juggyboy.com/index.html
HTTP/1.1Pragma: no-cache
Host: juggyboy.com
Accept-Charset: iso-8859-1, *,utf-8
GEThttp://juggyboy.com/
redir.php?site=%Od%OaContent-
Length :%200%0d%0a%0d%0aHTTP/l.l%2
02(X>%20OK%0d%0aLast-
Modified :%20Mon,%2027%200ct%20200
9%2014:50:18%20GMT*0d%0aConte nt-
Length :%2020%0d%0aContcnt
Typ:%20text/htmr%0d%0a%0d%0aAttack Pagc HTTP/1.1
Host: Juggyboy.com
GET
http://juggyboy.com/index.html HTTP/1.1 Host: testsite.com
User-Agent: Mozilla/4.7 [en]
(WinNT; I)
Accept-Charset: iso-8859-l,*,utf8
Copyright byEG-Gtlincil.All Rights Reserved. Reproduction is Strictly Prohibited.
W e b C a c h e P o i so n i n g A t ta c k
Web cache poisoning is an attack that is carried out in contrast to the reliability of an
intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned
content instead of true and secured content when demanding the required URL through the
web cache.
An attacker forces the web server's cache to flush its actual cache content and sends a specially
crafted request to store in cache. In the following diagram, the whole process of web cache
poisoning is explained in detail with a step-by-step procedure.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1624
http://www.juggyboy.com/welhttp://www.jujjyboy.com/http://juggyboy.com/index.htmlhttp://juggyboy.com/http://juggyboy.com/index.htmlhttp://juggyboy.com/index.htmlhttp://juggyboy.com/http://juggyboy.com/index.htmlhttp://www.jujjyboy.com/http://www.juggyboy.com/wel8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
26/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
http://www.juggyboy.com/wel
come.php?lang=
..... ......>ind
.ponse of
po in t! t o
:kef's page
Addm\
www.Im ^YLuy.cu m Ofigln.il Juggyboy page
Server CacheI
Attacker sends request to remove page from cache
No rm al re sp on se af te rclearing the cache forjuggyboy.com
Attacker sends m al icious request
that gen erates two response s (4 and 6 )
Attacker gets f i rs t server response
The
res!
requ
t h a t
Attacker requests ajug gY bo y.c om
again to generate cache entry
_1_>_er gets the second ;
^onseofr eq u es t
Address 1ig r
www.JuKjjytiyy.to1n AtUckvr'vp^v
Poisoned Server Cache
Attack!
.W
GEThttp://juggyboy.com/indeM.html
HTTP/1.1
Pragma: no-cache
Host: juggyboy.com
Accept-Charset: iso-8859-1,T,utf-8
GET http://juggyboy.com/
rdir.php?site=%Od%OaContent-L*ngth:%200%Od%Oa%Od%OaHTTP/l.l%202009(2 OOKHOdKOa Last-Modified :%20Mon,%202 7%200ct%202009*2014:50:18K20GMT%0d%0aContent-Le ngt h: 2020%0d%0a Conte nt-Typ: %20text/html%0d %0a%0d%08
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
27/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
+
Copyright by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
HTTP Resp onse H ijackingHTTP response hijacking is accomplished with a response splitting request. In this
attack, initially the attacker sends a response splitting request to the web server. The server
splits the response into two and sends the first response to the attacker and the second
response to the victim. On receiving the response from web server, the victim requests for
service by giving credentials. At the same time, the attacker requests the index page. Then the
web server sends the response of the victim's request to the attacker and the victim remains
uninformed.
The diagram that follows shows the step-by-step procedure of an HTTP response hijacking
attack:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1626
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
28/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
FIGURE 12.10: HTTP Response Hijacking
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1627
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
29/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
S S H B r u t e f o r c e A t t a c k C E HCrt1fW4 itfciul lUclw(
1^1 SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer
unencrypted data over an insecure network
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel
q SSH tunnels can be used to transmit malwares and other exploits to victims without being
detected
IMail Server
SSH Server Web Server Application Server
File Server
InternetUser
Attacker
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
SSH B r u t e F o r c e A t ta c k
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order
to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH,first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the
help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the
login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other
exploits to victims without being detected.
IMail Server
Attacker
FIGURE 12.11: SSH Brute Force Attack
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1628
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
30/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHMan-in-theMiddle Attack
\p oO* -a Webserver
Attacker
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
J Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by interceptingand altering communications between an end-user and webservers
J Attacker acts as a proxy such that all the communication between the user and Webserver passes
through him
Normal Traffic
M a n in t h eM id d le A tta c k A man-in-the-middle attack is a method where an intruder intercepts or modifies the
message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user
such as online banking details, user names, passwords, etc. transferred over the Internet to the
web server. The attacker lures the victim to connect to the web server through by pretending
to be a proxy. If the victim believes and agrees to the attacker's request, then all the
communication between the user and the web server passes through the attacker. Thus, the
attacker can steal sensitive user information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1629
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
31/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Normal Traffic
es ..*
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
32/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
W ebserver Password C racking C EH
* * * *
An attacker tries to exploit
weaknesses to hack well-chosen
passwords
Many hacking attempts start
with cracking passwords and
proves to the Webserver that
they are a valid user
Attackers use different methods
such as social engineering,
spoofing, phishing, using a Trojan
Horse or virus, wiretapping,
keystroke logging, etc.
The most common passwords
found are password, root,
administrator, admin, demo, test,
guest, qwerty, pet names, etc.
Web form authentication cracking
SSH Tunnels
FTP servers
SMTP servers
Web shares
Copyright byEG-G*ancil.All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e rv e r P a s s w o r d C r a c k i n g
----- Most hacking starts with password cracking only. Once the password is cracked, the
hacker can log in in to the network as an authorized person. Most of the common passwordsfound are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc.
Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan
horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to
crack passwords.
Attackers mainly target:
Web form authentication cracking
SSH tunnels
0 FTP servers
SMTP servers
Web shares
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1631
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
33/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
EHW ebserver Password CrackingTechniques
Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus,
THC Hydra, etc.
Passwords can be cracked by using following techniques:I
4 HybridAttack
A hybrid attack
works similar to
dictionary attack,
but it adds numbers
or symbols to the
password attempt
Copyright byEG-C*ancil.All Rights Reserved. Reproduction is Strictly Prohibited.
gd Web Server Password C racking T echniques(77)_
Passwords may be cracked manually or with automated tools such as Cain & Abel,
Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password:
Guessing: A common cracking method used by attackers is to guess passwords either by
humans or by automated tools provided with dictionaries. Most people tend to use heir
pets' names, loved ones' names, license plate numbers, dates of birth, or other weak
pass words such as "QW ERTY," "password," "admin," etc. so that they can remember
them easily. The same thing allows the attacker to crack passwords by guessing.
Dictionary Attack: A dictionary attack is a method that has predefined words of various
combinations, but this might also not be possible to be effective if the password consists
of special characters and symbols, but compared to a brute force attack this is less time
consuming.
Brute Force Attack: In the brute force method, all possible characters are tested, for
example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But
this type of method is useful to identify one-word or two-word passwords. Whereas if a
password consists of uppercase and lowercase letters and special characters, it might
take months or years to crack the password, which is practically impossible.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1632
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
34/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Q Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and
brute force attack. It also consists of symbols and numbers. Password cracking becomes
easier with this method.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1633
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
35/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Web Application Attacks CEHCrt1fW4 itfciul NmIm
, I f
J Vulnerabilities in web applicat ions running on a Webserver provide a broad attack path forWebserver compromise
A t , ' nSiterOss.rge,enia'0 f.s
Olverf/,acks4ft,Cokie
'ringsPe,T eCtrv
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
SL
W e b A p p l ic a t io n A tta c k s
Vulnerabilities in web applications running on a web server provide a broad attack
path for web server compromise.
Directory Traversal
Directory traversal is exploitation of HTTP through which attackers are able to access
restricted directories and execute commands outside of the web server root directory
by manipulating a URL.
Parameter/Form Tampering
This type of tampering attack is intended to manipulate the parameters exchanged
between client and server in order to modify application data, such as user credentials
and permissions, price and quantity of products, etc.
Cookie Tampering
Cookie tampering is the method of poisoning or tampering with the cookie of the
client. The phases where most of the attacks are done are when sending a cookie from
the client side to the server. Persistent and non-persistent cookies can be modified by using
different tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1634
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
36/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Command Injection Attacks
Command injection is an attacking method in which a hacker alters the content of the
web page by using html code and by identifying the form fields that lack validm
constraints.
I Buffer Overflow AttacksMost web applications are designed to sustain some amount of data. If that amountis exceeded, the application may crash or may exhibit some other vulnerable
behavior. The attacker uses this advantage and floods the applications with too much data,
which in turn causes a buffer overflow attack.
Cross-Site Scripting (XSS) Attacks
jr Cross-site scripting is a method where an attacker injects HTML tags or scripts into a
target website.
M
users.
Denial-of-Service (DoS) Attack
A denial-of-service attack is a form of attack method intended to terminate the
operations of a website or a server and make it unavailable to access for intended
Unvalidated Input and File injection Attacks
Unvalidated input and file injection attacks refer to the attacks carried by supplying
an unvalidated input or by injecting files into a web application.
Cross-Site Request Forgery (CSRF) Attack
The user's web browser is requested by a malicious web page to send requests to a
malicious website where various vulnerable actions are performed, which are notintended by the user. This kind of attack is dangerous in the case of financial websites.
SQL Injection Attacks
SQL injection is a code injection technique that uses the security vulnerability of a
database for attacks. The attacker injects malicious code into the strings that are later
on passed on to SQL Server for execution.
Session Hijacking
1131Session hijacking is an attack where the attacker exploits, steals, predicts, andnegotiates the real valid web session control mechanism to access the authenticated
parts of a web application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1635
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
37/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHModule Flow
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
_ So far we have discussed web server concepts and various techniques used by the
attacker to hack web server. Attackers usually hack a web server by following a proceduralmethod. Now we will discuss the attack methodology used by attackers to compromise web
servers.
1 Webserver Concepts Webserver Attacks
Attack Methodology Webserver Attack Tools
Webserver Pen Testing i ) Webserver Security Tools
y Patch Management Counter-measures
This section provides insight into the attack methodology and tools that help at various stages
of hacking.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1636
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
38/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
-
W ebserver Attack Methodology C EH
WebserverFootprint ing
Informat ionGathering
Hack ing
Webserver PasswordsVulnerabi l i ty
Scanning
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r A tta c k M e th o d o lo g y
Hacking a web server is accomplished in various stages. At each stage the attacker
tries to gather more information about loopholes and tries to gain unauthorized access to theweb server. The stages of web server attack methodology include:
0Information Gathering
Every attacker tries to collect as much information as possible about the target web
server. Once the information is gathered, he or she then analyzes the gathered information in
order to find the security lapses in the current mechanism of the web server.
( Web Server Fo otprinting
The purpose of footprinting is to gather more information about security aspects of a
web server with the help of tools or footprinting techniques. The main purpose is to know
about its remote access capabilities, its ports and services, and the aspects of its security.
M irroring W ebsiteW 4 J )
Website mirroring is a method of copying a website and its content onto another
server for offline browsing.
V ulnerability Scanning
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1637
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
39/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a
web server. Vulnerability scanning is done with the help of various automated tools known as
vulnerable scanners.
Session Hijacking
Session hijacking is possible once the current session of the client is identified. Completecontrol of the user session is taken over by the attacker by means of session hijacking.
Ha cking Web Server Passw ords
Attackers use various password cracking methods like brute force attacks, hybrid
attacks, dictionary attacks, etc. and crack web server passwords.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1638
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
40/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHWebserver Attack Methodology:Information Gathering
WHOis.netY3ur Domain Starting Place. ..
UZ3
WHOIS information for ebay.com:***
[Querying who1s.vens1gn-grs.com]
[whols.verislgn-grs.com]
Whos Server Vereon 2.0
Domain names in the .com and .net domains can now be reoistered
with rrorv diftoront competing raaistrars. Go to http;///ww .intom
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
41/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Source: http://www.whois.net
Whois allows you to perform a domain whois search and a whois IP lookup and search the
whois database for relevant information on domain registration and availability. This can help
provide insight into a domain's history and additional information. It can be used for
performing a search to see who owns a domain name, how many pages from a site are listed
with Google, or even search the Whois address listings for a website's owner.
W H O is .n e tY o u r D o m a i n S t a r t in g P l a c e . . .
WHOIS information for ebay.com:***
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitDr.com
Referral URL: http://www.markmonitor.com
Name Server: SJC-DNS1.EBAYDNS.COM
Name Server: SJC-DNS2.EBAYDNS.COM
Name Server: SMF-DNS1.EBAYDNS.COM
Name Server: SMF-DNS2.EBAYDNS.COM
Status: dientDeleteProhibited
Status: dientTransferProhibited
Status: dientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 15-sep2010Creation Date: 04-aug-1995
Expiration Date: 03-aug2018
F I G U R E 1 2 .1 3 : W H O I S I n fo r m a t i o n G a t h e r in g
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1640
http://www.whois.net/http://www.internic.net/http://www.markmonitor.com/http://www.markmonitor.com/http://www.internic.net/http://www.whois.net/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
42/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
C EHUrt1fw4 ilhi ul lUthM
Webserver Attack Methodology:Webserver Footprinting
J Gather valuable system-level information such
as account details, operating system, software
versions, server names, and database schema
details
J Telnet a Webserver to footprint a Webserver and
gather information such as server name, server
type, operating systems, applications running,
etc.
J Use tool such as ID Serve, httprecon, and
Netcraft to perform footprinting
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e rv e r A tta c k M e th o d o l o g y : W e b s e r v e r
F o o t p r i n t i n g
The purpose of footprinting is to gather account details, operating system and other software
versions, server names, and database schema details and as much information as possible
about security aspects of a target web server or network. The main purpose is to know about its
remote access capabilities, open ports and services, and the security mechanisms implemented.
Telnet a web server to footprint a web server and gather information such as server name,
server type, operating systems, applications running, etc. Examples of tools used for performing
footprinting include ID Serve, httprecon, Netcraft, etc.
Netcra ft
Source: http://toolbar.netcraft.com
Netcraft is a tool used to determine the OSes in use by the target organization. It has already
been discussed in detail in the Footprinting and Reconnaissance module.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1641
http://toolbar.netcraft.com/http://toolbar.netcraft.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
43/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
r i E T C K A F T
Search Web by Domain
Explore 1,045.745 web sites visited by use rs of the Netcraft Toolbar 3rd August 2012
Search : search tips
j site con tain s j microsoft lookup!exa m ple : s i te contains .netcraft.com
Results for microsoft
Found 252 sites
Site Site Report First seen Netblock OS
1. www.microsoft.com a a ug us t 1995 m icro so ft co rp citrix netscaler
2. support.microsoft. com m october 1997 microsoft corp unknown
3. technet.microsoft. com m a ug us t 1999 m icro so ft co rp citrix netscaler
4. windov
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
44/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Webserver Footprinting Tools CEH
httprecon 7.3 -http://www.nytimes.com:80/ I I
Personal Security Freeware by Ste ve Gibson
1111 S S m
^ ID ServeInternet Server Identifica.ion Utility, vl .02Personal Security Freeware by Stev
Copyright (c) 2003 by Gibson Resea rch Corp.
0
I D S e r v eBackground Serv2r Query | Q8A/H elp |
Errte* 0* copy Ipaste an Internet server UR_ or IP address here (example: www.microsdt.com):
' |www.google.coml
w When an Internet URL IP has been provided above,^ piess this button to initiate a query of the specified server.
Quety The SeverC2
File Configuration Fingerprinting Repcrting Help
Ta*get (Sun ONE Web Server 6.1)
|h tb :// ^ |www.nytimes.com : 180
GET existing j GET long equ estj GET non-ex sting] GET wrong protocol)
HTTP/1.1 200OKDace: Thu, 11Oct 2012 09:34:37 GMT
expires: Thu, 01Dec 1994 16:00:00 GMTcarhe-control: no-cachepragma: no-cacheSec-Cookie: ALT_ID=007f010021bb479dd5aa00SS; Expires09:34:37 GMT; Path=/; Domain .nytime3.com;Sec-cookie: adxcs=-; path=/; do!rain=.nytimes. cam
Swve i query pcocessng
Server gws
Content-Length: 221 FXX SS Protectior: 1; mode-block
XFromeOptions: SAMEORIG INConnection: close
The seivei identified Ise* as :
(3
(4
Goto ID Serve web page
Matehfct (352 Implementations) | Fingerprint Details | Report Preview |
Name
a Oracle Application Server 10g 10.1.2.2.0S Sun Java System Web Server 7.0
Abyss 2.5.0.0 X1
V Apache 2.0.52V A pache 2.2.6V ru 1 n c n______________________
Ready
http://www.computec.ch
h ttp://www. grc. com
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r F o o t p r in t in g T o o ls
We have already discussed about the Netcraft tool. In addition to the Netcraft tool,
there are two more tools that allow you to perform web server footprinting. They areHttprecon and ID Serve.
Httprecon
( ^ ' Source: http://www.computec.ch
Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some
research in the field of web server fingerprinting, also known as http fingerprinting. The goal is
the highly accurate identification of given httpd implementations. This software shall improve
the ease and efficiency of this kind of enumeration.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1643
http://www.nytimes.com/http://www.microsdt.com/http://www.google.coml/http://www.nytimes.com/http://www.computec.ch/http://www.computec.ch/http://www.computec.ch/http://www.computec.ch/http://www.nytimes.com/http://www.google.coml/http://www.microsdt.com/http://www.nytimes.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
45/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
46/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
ID ServeG
I n t e rne t S e r v e r I d e n t i f i c a t io n U t i li t y, v1 . 02
P e r s o n a l S e c u r i ty F r e e w a r e b y S t e v e G i b s o n
Copyright (c) 2003 by Gibson Research Corp.ID ServeB a c k g r o u n d S e r v e r Q u e r y | Q & A / H e l p
Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com):
1 www.google.com|
When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server.
Query The Server
Server query processing:
S e r v e r : g w s
C o n t e n t - L e ng t h : 2 21
X - X S S - P r o t e c t io n : 1; m o d e = b l o c k
X - Fr am e - O p tio n s : S A M E O R I G I N
C o n n e c t i o n : c l o s e
The server identified itself as :
|gws__________________(4
ExitGoto ID Serve web pageCopy
FIGURE 12.16: ID Serve
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1645
http://www.microsoft.com/http://www.microsoft.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
47/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHWebserver Attack Methodology:
Mirroring a Website
Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc
Search for comments and other items in the HTML source code to make footprinting activities more efficient
Use tools HTTrack, WebCopier Pro, Bla ckW idow, etc. to mirror a website
H Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrt tJE* Freferences Mirro log Window Help
Pa*g HTMLfife
lavedTiro.1-a.rfe-rdLeAc*ve correct !one4
320.26*82nr2208* tf.19KB/)1
Waic r tB !
HrcdcdaMd.1400
7;Men*:
Jhttp://www. httrock. com
13 i i, local Disk :
&
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
48/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]HFile Preferences terror Log Window JHelp
Parang HTML HeIn progress:
Information
2/14 (.13)
14
00
Links scanned:
Files written:
Fles updated:
Errors:
Bytes saved: 320.26KB
Time: 2min22s
Transferrate: OB/s (1.19MB/s)
Active connections: 1
[Actions
HelpCancelNext >;Back |
B j j Local Disk
0 CEH-Tools
j H J. dell
a i . inetpub
B Intel
B t MyWebSites
g) Jj Program Files
a J j Program Files (x86)
& J1 Users
a Windows
L Q NTUSER.DAT
a a Local Disk
DVD RW Drive
El , . New Volume
FIGURE 12.17: Mirroring a Website
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1647
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
49/123
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Hacking Webservers
CEHW e b s e r v e r A tta c k M e th o d o l o g y :
V u l n e r a b i l i ty S c a n n in g
J Sniff the network traffic to find out active systems,
network services, applications, and vulnerabilities present
J Test the web server infrastructure for any
misconfiguration, outdated content, and known
vulnerabilities
Perform vulnerability scanning to identify weaknesses
in a network and determine if the system can be exploited
Use a vulnerability scanner such as HP Weblnspect,
Nessus, Zaproxy, etc. to find hosts, services, and
vulnerabilities
Copyright by K-MICil. All Rights Reserved. Reproduction Is Strictly Prohibited.
A tta c k M e th o d o l o g y : V u l n e r a b i li tyW e b S e r v e r
S c a n n i n g
Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations
of a target web server or network. Vulnerability scanning is done with the help of various
automated tools known as vulnerable scanners.
Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its
configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing
techniques are adopted in the network traffic to find out active systems, network services,
applications, and vulnerabilities present.
Also, attackers test the web server infrastructure for any misconfiguration, outdated content,
and known vulnerabilities. Various tools are used for vulnerability scanning such as HP
Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.
Nessus
Source: http://www.nessus.org
Nessus is a security scanning tools that scan the system remotely and reports if it detects the
vulnerabilities before the attacker actually attacks and compromises them. Its five features
includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery,
patch management integration, and vulnerability analysis of your security posture with features
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1648
http://www.nessus.org/http://www.nessus.org/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
50/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
that enhance usability, effectiveness, efficiency, and communication with all parts of your
organization.
FIGURE 12.18: Nessus Screenshot
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1649
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
51/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
CEHW e b s e r v e r A t t a c k M e t h o d o l o g y :
S e s s io n H i j a c k i n g
Sniff valid session IDs to gain u nauthoriz ed access to the Web Server and snoop the data
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture validsession cookies and IDs
Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
l l Wburp suite free edition v1A01s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts
MIME typiHTML
J curp intruder repeater window about
target
ignot found items hiding CSS image and gereral ainarr content 1iS- g .l-e=pcn=e= h d ng ?mrt/folders
;/8nnr5s1/3
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
52/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
0- ^ 1 xburp suite free edit ion v1.4.01burp intruder repeater window about
spider \ scanner [ intruder | repealer [ sequencer | decoder [ comparer [ options | alertstargetsite map \ scope |
Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders
I MIME tjHTMLlength MIME typi676status200params
URLmethodhost
GET 1element/ssi/ads.iframes/
sponse request
]' params ' headers | hex |MT / . e le r o e n c / 3 3 i / i n c l/ b r e a k i n g _ n e v s / 3 . O / b a n n e r. h c m l ? c s iI D = c s i l
T P / 1 . 1
3 c : e d i c io n . c n n . c o m
e r - A g e n c : H o z i l l a / 5 . 0 ( W in d o w s N T 6 . 2 ; W OW 64; c v : i 5 . 0 )
c lc o / :0 1 0 0 i 0 1 F i r e f o x / 1 5 . 0 .1
A c c ep C : c e x c / j a v M c r l p c , c e x c / h c m l , a p p l lc a C l o n / x m l , c e x c / x n il .
* http7/economictimes indiatimes.com9 http://edition.cnn.com0.el(
D o-2]20
http: edition.cnn.com .elementadd item to scope
spider this branch
actively scan this branch
passively scan this branch
engagement tools [pro version only]
compare site maps
expand branch
expand requested Items
delete branch
copy URLs In this branch
copy links in this branch
save selected Items
O- CDBU
O- D c n
0 E L I0O eu
* L J SH
FIGURE 12.19: Burp Suite Screenshot
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1651
http://edition.cnn.com/http://edition.cnn.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
53/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
54/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
_Brutus -AET2 www.hoobie.net/brutus (January 2000)F il e J o o l s H e l p
Clearj StopStar(Type | H TT P (Bas i c Au(h) ~|
1 0 r U se P rox y D e f ine10 Timeout r T
T arge t |10.0 .0.17|
Connection Options
Po rt 180
H TT P (Bas i c ) Opt ions
M e t h o d [ H E A D W KeepAl i ve
B rowse
P a s s Mo d e f
Browse Pass F i le
Authentication O ptions
U se U se rna m e I- S i ng l e U se r
Us er File users.txt
Posit ive Authentication Results
PasswordUsernameTypeT argetacademicH T T P (B asic Auth) admin
H T T P (B as i c Auth) backup
10.0.0.17/
10.0.0.17/
a
-
Loca ted and instal led 1 authentication plug-ins
Initialising...
Target 10.0.0.17 verified
Opened user file containing 6 users.
Opened password f i le containing 818 Passwords.
Maximum number of authentication attempts will be 4908
Engaging ta rget 10 .0 .0 .17 w i th H TT P (Bas i c Auth)
T r m n 1 arJrr.1
Timeout Reje ct Auth Se q Throttle Qu ick Kil l
FIGURE 12.20: Brutus Screenshot
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1653
http://www.hoobie.net/brutushttp://www.hoobie.net/brutus8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
55/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
56/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
Webserver Attack Tools:Metasploit
The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool
that includes hundreds of working remote exploits for a variety of platforms
It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak
passwords via Telnet, SSH, HTTP, and SNM
ft V ModutM Tag* Q Atporto T al i 0
(J) metasploitjet
wm
Optrabng Sy*trm (Top )
U McmolWMoM M m MKnaPnw
Nctwoft Snv Kti (Top S)
2tC DCIWC I I I M S K M t t )7 HETBOSS***(** n usnus(Bvv^ MUSAOPSffwctt
Target Syitttn Statu*
MOkom**4 I Smd I LOOM
PTOftCt Activity (24 Noun)
http://www.metasploit.com
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
W e b S e r v e r A t t a c k T o o l s : M e t a s p l o i t
Source: http://www.metasploit.com
The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and
relatively painless. It enables users to identify, assess, and exploit vulnerable web applications.
Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised
web server to discover an exploitable vulnerability in a database that hosts confidential
customer data and employee information. Your team members can then leverage the data
gained to conduct social engineering in the form of a targeted phishing campaign, opening up
new attack vectors on the internal network, which are immediately visible to the entire team.
Finally, you generate executive and audit reports based on the corporate template to enable
your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or
PCI DSS.
Metasploit enables teams of penetration testers to coordinate orchestrated attacks against
target systems and for team leads to manage project access on a per-user basis. In addition,
Metasploit includes customizable reporting.
Metasploit enables you to:
Complete penetration test assignments faster by automating repetitive tasks and
leveraging multi-level attacks
Module 12 Page 1655 Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
http://www.metasploit.com/http://www.metasploit.com/http://www.metasploit.com/http://www.metasploit.com/8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
57/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
Assess the security of web applications, network and endpoint systems, as well as email
users
Emulate realistic network attacks based on the leading Metasploit framework with more
than one million unique downloads in the past year
Test with the world's largest public database of quality assured exploits
Tunnel any traffic through compromised targets to pivot deeper into the network
Collaborate more effectively with team members in concerted network tests
Customize the content and template of executive, audit, and technical reports
(J metasploit
Tag* O R r po r tt ~ TmJ Ql M lp n O l S*M*oW0 V Cwnpognt
Operating Systems [Top )
MHonNMnocm
2 Konca P m tr 2 *0 *0 ffntwHM 1 HP ***ClOOtO
NetworkServices (Top (
270 DCERPC Server*
114 SMB STOKT*
37-NTBOSSr
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
58/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
M etasploit Architecture CE H(rtifwtf I til 1(41 NmIm
Protocol Tools
Mo d u l e s
Exploits
Payloads
Encoders
NOPS
Auxi l iary
Rex
Framework-Core
^ F ramework-Base ^
: A k "
7KSecurity Tools
Web Services
Integrat ion
Custom plug-ins
Interfaces
mfsconsole
msfcl i
ms fw e b
ms fw x
msfapi
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p l o i t A r c h i t e c t u r e
The Metasploit framework is an open-source exploitation framework that is designed
to provide security researchers and pen testers with a uniform model for rapid development ofexploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework
provides the ability to reuse large chunks of code that would otherwise have to be copied or
reimplemented on a per-exploit basis. The framework was designed to be as modular as
possible in order to encourage the reuse of code across various projects. The framework itself
is broken down into a few different pieces, the most low-level being the framework core. The
framework core is responsible for implementing all of the required interfaces that allow for
interacting with exploit modules, sessions, and plugins. It supports vulnerability research,
exploit development, and the creation of custom security tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1657
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
59/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
\
Protocol Tools
Modules
Exploits
Payloads
Encoders
NOPS
Auxiliary
LibrariesRex
Framework-Core
^ Framework-Base ^
A
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
60/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
61/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
M etasploit Payload Module
j Payload module establ ishes a co mmu nic at ion cha nne l between the Me tas plo it f ramew or k an d t he vic tim host
J It combines the arbitr ary code that is executed as the result of an exploit succeeding
J To generate payloads, first select a payload using the command:
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p l o i t P a y l o a d M o d u l e
The Metasploit payload module offers shellcode that can perform a number of
interesting tasks for an attacker. A payload is a piece of software that lets you control a
computer system after its been exploited. The payload is typically attached to and delivered
by the exploit. An exploit carries the payload in its backpack when it break into the system and
then leaves the backpack there.
With the help of payload, you can upload and download files from the system, take
screenshots, and collect password hashes. You can even take over the screen, mouse, and
keyboard to fully control the computer.
To generate payloads, first select a payload using the command:
m s f > u s e w i n d o w s / s h e l l _ r e v e r s e _ t c p
m s f p a y l o a d ( 3 h e l l _ r e v e r s e _ t c p ) > g e n e r a t e -h
U s a g e : g e n e r a t e [ o p t i o n s ]
G e n e r a t e s a p a y l o a d .
- b < o pt > T h e l i s t o f c h a r a c t e r s t o a v o i d : , \ x 0 0 \ x f f '
- e < o p t> T h e n am e o f t h e e n c o d e r m o d u l e t o u s e .
- h H e l p b a n n e r .
- o < o p t > A co m ma s e p a r a t e d l i s t o f o p t i o n s i n
V A R= V AL f o r m a t .
- s < o p t> N OP s l e d l e n g t h .
- t < o p t > T h e o u t p u t t y p e : r u b y , p e r i , c , o r r a w .
m s f p a y l o a d ( s h e l l r e v e r s e t c p ) >
9 S C o m m a n d P r o m p t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1660
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
62/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
63/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
64/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
Metasploit NOPS Module CE H(rtifwt f I til 1(41 Nm Im
NOP modules generate a no-operation instructions used for blocking o ut buffers
Use g e n e ra te command to generate a NOP sled of an arbitrary size and display it in a given form at
OPTIONS:
-b < o p t> : The list of characters to avoid: '\x00\xff'
- h : Help banner.
- s : The comma separated list of registers to save.
- t < o p t> : The output type: ruby, peri, c, or raw
m s f n o p ( o p t y 2 ) >
To generate a 50 byte NOP sled that is displayed as a
C-style buffer, run the following command:
Command Prompt
m s f n o p ( o p t y 2 ) > g e n e r a t e - t c 5 0
u n s i g n e d c h a r b u f [ ]
" \ x f 5 \ x 3 d \ x 0 5 \ x l 5 \ x f 8 \ x 6 7 \ x b a \ x 7 d \ x 0 8 \ x d 6 \ x 6
6 \ x 9 f \ x b 8 \ x 2 d \ x b 6 "
M\ x 2 4 \ x b e \ x b l \ x 3 f \ x 4 3 \ x l d \ x 9 3 \ x b 2 \ x 3 7 \ x 3 5 \ x 8
4 \ x d 5 \ x l 4 \ x 4 0 \ x b 4 "
\ x b 3 \ x 4 1 \ x b 9 \ x 4 8 \ x 0 4 \ x 9 9 \ x 4 6 \ x a 9 \ x b 0 \ x b 7 \ x 2f \ x f d \ x 9 6 \ x 4 a \ x 9 8 "
n \ x 9 2 \ x b 5 \ x d 4 \ x 4 f \ x 9 1 " ;
m s f n o p ( o p ty 2 ) >
Generates a NOP sled of a given length
& Command Prompt
m s f > u s e x 8 6 / o p t y 2
m s f n o p ( o p t y 2 ) > g e n e r a t e - h
U s a g e : g e n e r a t e [ o p t i o n s ] l e n g t h
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p l o i t N O P S M o d u l e
Metasploit NOP modules are used to generate no operation instructions that can be
used for padding out buffers. The NOP module console interface supports generating a NOPsled of an arbitrary size and displaying it in a given format.
options:
-b The list of characters to avoid: ?\x00\xff?
-h Help banner.
-s The comma separated list of registers to save.
-t The output type: ruby, peri, c, or raw.
Ge ner ates a NOP sled of a given length
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1663
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
65/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
To generate a 50-byte NOP sled that is displayed as a C-style buffer, run the following
com m and :
msf nop(opty2) > generate -t c 50
unsigned char buf[] ="\xf5\x3d\x05\xl5\xf8\x67\xba\x7d\x08\xd6\x6
6\x9f\xb8\x2d\xb6"
"\x24\xbe\xbl\x3f\x43\xld\x93\xb2\x37\x35\x84\xd5\xl4\x40\xb4"
"\xb3\x41\xb9\x48\x04\x99\x46\xa9\xb0\xb7\x2f\xfd\x96\x4a\x98"
"\x92\xb5\xd4\x4f\x91";
msf nop(opty2) >
Figure 12.25: Me tasp lo i t NOPS Mod ule
Ethical Hacking and Countermeasures Copyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1664
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
66/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
Webserver Attack Tools: Wfetch I CEH
WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and
response data
It allows attacker to test the performance of Web sites tha t contain new elements such as Active Server Pages (ASP) or
wireless protocols
wfeicfi -wtetcniFile Edit View Window Help
f l
Advanced Request:
f Diabled I- fromfileVerb: [GET | host [localHost
PathY AAuthentcation UxrtecfcOT
l _ C 0 Jfifth. Anoryraam -d Cornsct NKp
Qoirah. Qphcr dctajt!race
Uer; Ckertooc.: rw * J JPogtwd: r Pc5y |60 P R eu
Log Output [Last Status: 500 Internal Server Error;
> started....
O Puny: WWWConnect::Close(","8Jot*pN>
O , **ionn dn hiddm php
irWrfcgrncr
0*cfc(CjomSMS
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
102/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
103/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
" ) N-Sta!ker Web Applica tion Security Scanner 2012 - Free Edition
Scaror Sc jr Opon
1 T!r*ad* I',*1 < I J tI 6 * * , 5
| TfvMda Contra , Faoa PoaNa Corarai |
Scanner Ivmtt
JHtgh(! MmI() low ;1 Ho|t|
mtmmk_____BytaaS * 1102121
I 903 970
Ag Rmoo ^m T mt K I M m iA.gT,ar*f Bjf* 9IS 84ft*
198 00 r#Q>nan
o Vu*eraM*
Q hBpJv a * C*1VdIruxhrescfvcuOvacquredm*crmatonTheAttach1dPerptt abortMvputiixriyevtxriy aeittrtO *about thenetwork(tonitanct, bynnnn;1t*>!nfoinationGafrwirgitap) toautomaQcalvsdiit0idIruidi tairoUi attaJi
fa e9J1tdioethost Itis!1EMnAlTerrvitfConfigiratonPrwlceE3
3sf5SDOmamicLrks PrluleosEscatiIgJPfeeQSOKernelProteswPrr.-iegebsrdat
!3S15SCkOmerLacal PrivilegeEscalation^FreeBSDmbufsasrdfileCaCvW;vrrvl-..sj
r FUer modiies by target
r SiswmacUvUojt U .
Veriion 11.0.4666
rjIWT fBMOdJw
1 f id P fh 0 ,o F
FIGURE 12.37: CORE Impact* Pro Screenshot
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 12 Page 1714
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
116/123
8/14/2019 CEHv8 Module 12 Hacking Webservers.pdf
117/123
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers
CEHWeb Server Pen Testing
Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses,
configuration errors, protocol related vulnerabilities, etc. in a web server
The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work
through all of the different application vulnerabilities
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W eb Server Pen Testing
v , v , Web server pen testing will help