Government Security
Network Security Resources

Jump to content

Photo

Web Server Hacking


  • Please log in to reply
2 replies to this topic

#1 No Dice

No Dice

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 723 posts

Posted 18 February 2006 - 07:25 AM

Not sure if this would be considered a Tut but I'll post this here as a guide or challenge for others to answer the questions. Posted as found for authenticity:

Source: http://users.ece.gat..... security.doc

http://64.233.179.10...us&ct=clnk&cd=1

ECE 4112: Internetwork Security

Lab 12: Web Security


Group Number: ___________

Member Names: _______________ _______________

Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.


Date: November 16, 2004

Date Due: November 23, 2004

Last Revised: November 15, 2004

Written by: Tom Bean and Valerio Oricchio

Goal: The goal of this lab is to examine various tools and techniques that can be used to exploit weakness in web servers.

Summary: This lab will introduce tools that can be used to see vulnerabilities on an apache web server and to gain access to private pages.

Background and Theory: Web server hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself (or one of its add-on components). These vulnerabilities are typically publicized and are easy to detect and attack. An attacker with the right set of tools and ready-made exploits can bring down a vulnerable web server in minutes. For this reason, it is crucial for web administrators to always patch their web server and related software.

Prelab Questions: None.

Lab Scenario: For this lab we will be accessing an Apache web server on the Mininet whose ip address is 57.35.6.2. This is a RedHat7.2 Machine running Apache. This emulates a web server without proper security update that you might find on the web.


Copy the files from the Lab12 Folder on the NAS to the various machines

On the Redhat 8.0 host machine:

# mkdir /root/lab12

# cp -rf /mnt/nas4893/Lab12/RH8.0/* /root/lab12

On the Windows XP virtual machine:

Create a folder called “lab12” on the desktop.

Copy the contents of the Windows directory of Lab12 on the NAS, to this folder.

Section 1: Web Security Utilities

Some of the following utilities will need SSL support so first and foremost, install OpenSSL on the Redhat 8.0 host:

# cd /root/lab12

# tar xvfz openssl-0.9.6j.tar.gz

# cd openssl-0.9.6j

# ./config -shared --prefix=/usr/local/ssl -fPIC

# make

# make test

# make install

Now the utilities we install can use the SSL libraries.

WGET

When targeting a web server, a serious hacker would study its content thoroughly. This might involve downloading its entire content for offline examining at his leisure. Doing this manually would be very tedious and tiresome, so luckily there are some useful tools readily available that would automate this process.

WGET is a free software package for retrieving files using HTTP, HTTPS, and FTP. It can be downloaded from http://www.gnu.org/s.../wget/wget.html.

To install wget: On the Redhat 8.0 physical machine, change to the utilities folder:

# cd /root/lab12/utilities

Now build wget:

# tar xvfz wget-1.9.1.tar.gz

# cd wget-1.9.1

# ./configure –prefix=/usr/local/wget --with-ssl

# make

# make install

To use wget to download a complete website, do the following:

# mkdir /root/lab12/downloaded

# wget -P /root/lab12/downloaded -m http://57.35.6.2

This transfers data to the folder /root/lab12/downloaded.

Q1.1: What data is transferred to this folder?

Q1.2: Why would this information be useful to attackers?

httpdtype and user discovery

Apache web servers, by default, are setup in a way that makes it easy for attackers to determine the type of web server is running, what additional modules are built into Apache, and what user accounts are present on the server.

The first simple utility we will look at is a program called “httpdtype”. It is available from http://packetstormsecurity.nl in a package named “apscan2.tgz”. The other utilities in this package are not useful for our purposes and will not be discussed.

On your Redhat 8.0 physical machine:

# cd /root/lab12/utilities

# tar xvfz apscan2.tgz

The other utilities are extracted as well but can be ignored.

Now, type:

# ./httpdtype 57.35.6.2

Q1.3: What is the output?

Another useful utility takes advantage of a bug in the Apache software, when run on a Redhat machine, that makes user discovery quite easy.

If you try to access an existing users folder on an Apache server using a “~”, the server will respond with a 403 error message, indicating “Forbidden”, since that particular user has not set the appropriate permissions for their folder.

If you were to try to access a non-existent user in the same manor, the server would respond with a 404 message indicating “Not Found”. Since that user doesn't exist.

Open up a web browser on your Redhat 8.0 physical machine, and type the following URL “http://57.35.6.2/~root” and observe the results.

Now try “http://57.35.6.2/~rooty” [this lab assumes there is not a user called “rooty”]

Observe these results.

As can be seen, this is a very easy method to determine what user accounts are on a particular server. C code included on NAS, named “arse.c”, which is short for Apache and Redhat Security Exploit, will automate this process. This code can also be obtained from http://packetstormsecurity.nl.

You have already downloaded “arse.c”, now we will compile it on the Redhat 8.0 physical machine:

# cd /root/lab12/utilities

# gcc -o arse arse.c

Now run “arse” in the following manor:

# ./arse 57.35.6.2 80 names.txt [“names.txt” contains various user names]

This will check server “57.35.6.2”, use port 80 (http), and check user names in “names.txt”.

Q1.4: What user names were found?

Now we know what user accounts are on the server, information that is very useful to an attacker. One very good use of this information will be shown following, where we exploit a flaw in the basic authentication system that web servers use.


Cracking basic auth

Most web servers have information on them that is only intended for a certain user or a certain group of users. To prevent access to this information by unauthorized individuals, web servers can use “basic authentication”, the simplest method of authentication. For a long time this was the most common authentication method used by all web servers on the Internet and is still the primary form of access protection used by many.

We have setup a private folder on our web server. Attempt to browse to: “http://57.35.6.2/private/” and see that an authentication prompt comes up.

[Note: a “/” is required after “private” above]

This page is only available to two users with passwords.

A bug exists in basic auth that sets no limits on the amount of simultaneous connections and number of authentication attempts permitted. This makes the process of brute-forcing your way into a secured folder or file much easier. Also, since we already know what users exist on the system (from our “arse” output), we will only test passwords for those particular users.

Note that the users for this directory may not necessarily match system users, which is what we determined earlier, however, chances are very good that they usually will.

A really good brute-forcer for the Win32 environment is Brutus, available at:

http://www.hoobie.net/brutus/

As specified on the website:

Brutus has support for the following authentication types:

HTTP (Basic Authentication)

HTTP (HTML Form/CGI)

POP3

FTP

SMB

Telnet

Other types (must be imported)

The current release includes the following functionality :

Multi-stage authentication engine

60 simultaneous target connections

No user name, single user name and multiple user name modes

Password list, combo (user/password) list and configurable brute force modes

Highly customisable authentication sequences

Load and resume position

Import and Export custom authentication types as BAD files seamlessly

SOCKS proxy support for all authentication types

User and password list generation and manipulation functionality

HTML Form interpretation for HTML Form/CGI authentication types

Error handling and recovery capability inc. resume after crash/failure.

As you can see, Brutus can be very useful for cracking passwords with a large number of protocols.

Install Brutus on your Windows XP Virtual Machine:

Create a new folder on the desktop called “Brutus”

Open the “lab12” folder on the desktop and double-click on the Brutus zip file. Extract all files to the “Brutus” folder. Now, copy the “names.txt” (same file used with arse) from the lab12 folder to the Brutus folder.

Now run “BrutusA2.exe”.

For “Target” specify: “57.35.6.2private/”

for “Type”: HTTP (Basic Auth)

Under Authentication Options:

Check “Use Username”

For “Pass Mode”: Word List

For “User File”: names.txt

For “Pass File”: words.txt

Now click the “Start Button”

Q1.5: Are the passwords for the two users able to be cracked and if so, what are the users and passwords and how long did it take?

Brutus is also very useful in the fact that it can also “brute-force” passwords. If you want to try this, change “Pass Mode” to “Brute Force” and click “Start”.

Warning: If you don't set the “Range” settings to something close to the passwords you are attempting to crack, you could literally be waiting for centuries.

Play around with the Brute Force Range options to get an idea about what takes the longest.

Q1.6: What types of passwords would be easiest to crack? Which would be hardest? Why?

Now, if you want play around with the many other features in Brutus to get a feel for what all can be accomplished with this software.

Section 2: Vulnerability Scanning

Several tools are available to automate the process of parsing web servers for the numerous exploits that are continuously found in the hacking community. Commonly called “vulnerability scanners”, these types of tools will scan for dozens of well-known vulnerabilities. Attackers can then use there time more efficiently in exploiting the vulnerabilities found by the tools.

In this lab, we'll use one of the more popular scanners called “Nikto”. It can obtained from: http://www.cirt.net/code/nikto.shtml.

The description on the website states:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

We will install and use Nikto to see what we find. Since Nikto is a Perl script, it requires the Perl module Net::SSLeay for it to have HTTPS support. That module can be obtained from: http://www.cpan.org/....pm-1.25.tar.gz.

We will now install Nikto and the Net::SSLeay module.

On your Redhat 8.0 physical machine:

# cd /root/lab12

# tar xvfz Net_SSLeay.pm-1.25.tar.gz

# cd Net_SSLeay.pm-1.25

# ./Makefile.PL

# make install

# cd ..

# tar xvfz nikto-current.tar.gz

# cd nikto-1.32

# ./nikto.pl

This will display Nikto's large variety of command-line options. For more detailed descriptions consult the “nikto-usage.txt” file in the /docs folder.

To test the vulnerabilities on our web server type:

# ./nikto.pl -h 57.35.6.2 -p 80,443 > outfile.txt

This will scan the web server on our Redhat 7.2 Virtual Machine on port 80 (http) and port 443 (https). The “> outfile.txt” will output to the file what would normally be displayed to the screen.

Open “outfile.txt” in your favorite text editor to observe what is found.

Attachment 1: Attach a printout of this for Port 80 only (header shows where this starts).

Q2.1 How can this information be used to a hacker's advantage?

If you are wondering what reflection will be made on the server in terms of logs files, etc. we have included an access log from the server after being subjected to the same attacks. On your RH8.0 machine it is “/root/Lab12/access_logs”. Open this with a text editor (it is a large file) and look at the contents.

Q2.2 Is it apparent that a scanner (in our case, Nikto) was run and if so how can you tell? What about Brutus?




Answer Sheet Lab 12


Group Number: _______________

Member Names: _________________________ _________________________



Section 1: Web Security Utilities

Q1.1: What data is transferred to this folder?





Q1.2: Why would this information be useful to attackers?




Q1.3: What is the output?





Q1.4: What user names were found?



Q1.5: Are the passwords for the two users able to be cracked and if so, what are the users and passwords and how long did it take?





Q1.6: What types of passwords would be easiest to crack? Which would be hardest? Why?







Section 2: Vulnerability Scanning

Q2.1: How can this information be used to a hacker's advantage?





Q2.2: Is it apparent that a scanner (in our case, Nikto) was run and if so how can you tell? What about Brutus?







How long did it take you to complete this lab? Was it an appropriate length lab?

#2 spirry

spirry

    Private

  • Members
  • 4 posts

Posted 19 February 2006 - 09:17 AM

Could you paste the links with the ... in the url again? I cant open them.

#3 No Dice

No Dice

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 723 posts

Posted 19 February 2006 - 11:03 AM

Links are correct but the page has been removed. Probably realized their material was being leaked on the net…

But what I posted here was the exercise in its entirety.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users