Certified Ethical Hacker (CEHv13) Module 13 Hacking Web Servers

Web Server

A computer system that stores, processes, and delivers web pages to global clients via the Hypertext Transfer Protocol (HTTP)

Components of a Web Server

- Document Root

- Server Root (conf, logs, cgi-bin)

- Virtual Document Tree

- Virtual Hosting

- Web Proxy

Document Root

One of the root file directories of the web server that stores critical HTML files related to the web pages of a domain name

Server Root

The root directory for the web server configuration

Server Root Subdirectories

- conf

- logs

- cgi-bin

conf Directory

Server Root Subdirectory that contains the server configuration files

logs Directory

Server Root Subdirectory that contains the server logs

cgi-bin Directory

Server Root Subdirectory that contains common gateway interface (CGI) scripts or other server-side executables

Virtual Document Tree

Provides storage on a different machine or disk after the original disk becomes full

Virtual Hosting

Technique of hosting multiple domains or websites on the same server, allowing for the sharing of resources among various servers

Types of Virtual Hosting

- Name Based

- IP Based

- Port Based

Web Proxy

All requests from clients are passed on to the web server through the web proxies

Common Goals Behind Web Server Attacks

- Stealing credit-card details or other sensitive credentials using phishing techniques

- Integrating the server into a botnet to perform denial of service (DoS) or distributed DoS (DDoS) attacks

- Compromising a database

- Obtaining closed-source applications

- Hiding and redirecting traffic

- Escalating privileges

- For pure curiosity

- For completing a self-set intellectual challenge

- For damaging the target organization's reputation

Impact of Web Server Attacks

- Compromise of user accounts

- Website Defacement

- Root access to applications and server

- Secondary attacks from website

- Data tampering

- Data theft

- Damage of company reputation

Common Oversights for Web Server Security

- Failing to update the web server with the latest patches

- Using the same system administrator credentials everywhere

- Allowing unrestricted internal and outbound traffic

- Running unhardened applications and servers

- Providing complete error messages with server version information

- Using outdated SSL/TLS encryption algorithms

- Using third-party plugins in the web application

- Improper file and directory permissions

- Installing server with default settings

- Unnecessary services enabled, including content management and remote administration

- Security conflicts with the business' ease-of-use requirements

- Lack of proper security policy, procedures, and maintenance

- Improper authentication with external systems

- Default accounts with default or no passwords

- Unnecessary default, backup, or sample files

- Misconfigurations in the web server, OS, and networks

- Bugs in server software, OS, and web applications

- Misconfigured Secure Sockets Layer (SSL) certificates and encryption settings

- Administrative or debugging functions that are enabled or accessible on web servers

- Use of self-signed certificates and default certificates

- Not using a dedicated server for web services

- Granting excessive privileges to users or processes, or failing to implement the principle of least privilege.

Apache Web Server Architecture Components

- HTTP Client

- HTTP Server (Core)

- BMMTM Extensible Agent

- Application Server

HTTP Client

Browser or software that initiates requests to the web server

Apache HTTP Server (Core)

The core module handles HTTP(S) requests and responses

Apache HTTP Server (Core) Modules

- mod_auth

- mod_ssl

- mod_rewrite

- mod_proxy

Apache HTTP Server (Core) mod_auth Module

Manages user authentication

Apache HTTP Server (Core) mod_ssl Module

Provides SSL/TLS encryption to secure communication between the server and the clients

Apache HTTP Server (Core) mod_proxy Module

Functions as a proxy and gateway

Apache HTTP Server (Core) mod_rewrite Module

Enables URL rewriting, customized URLs, and redirection based on specified rules

Apache BMMTM Extensible Agent

Intercepts HTTP(S) requests and responses to gather detailed transaction data. It enhances monitoring and performance analysis by providing insights into the interactions between clients and servers.

Apache Application Server

Executes backend applications, processes data, and generates dynamic content, functioning separately from the web server that handles the HTTP requests

HTTP response splitting Vulnerability

Occurs when improperly validated input allows attackers to inject malicious headers into HTTP responses

mod_macro buffer over-read Vulnerability

Occurs when the mod_macro module improperly handles macro expansion, causing it to read beyond the buffer's end

DoS in HTTP/2 with initial window size 0 Vulnerability

Arises when an attacker sets the HTTP/2 initial window size to 0, which blocks the server from sending data

HTTP/2 stream memory not reclaimed right away on RST Vulnerability

Occurs when memory allocated for an HTTP/2 stream is not immediately freed upon receiving a stream reset (RST) frame.

DNS rebinding in import functionality Vulnerability

Occurs because of inadequate input validation in the import functionality of Apache Allura

Improper certificate validation Vulnerability

Arises from improper certificate validation in FTP_TLS connections of Apache Airflow

Internet Information Services (IIS)

A web server application developed by Microsoft, runs on a server and responds to browser requests. It supports HTTP, HTTP Secure (HTTPS), File Transfer Protocol (FTP), FTP Secure (FTPS), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP).

Internet Information Services (IIS) Components

- Protocol listeners (known as HTTP.sys)

- World Wide Web Publishing Service (known as WWW service)

- Windows Process Activation Service (WAS)

IIS Trust boundary violation vulnerability

Results from inadequate separation of privilege boundaries

Nginx

A high-performance scalable web server, reverse proxy, and load balancer that operates on a master-worker architecture. It employs a single-threaded, event-driven, asynchronous, and non-blocking model to efficiently manage multiple connections.

Nginx Components

- Master Process

- Worker Process

- Proxy Cache (Cache Loader, Cache Manager)

- Web Server

- Application Server

- Memcache

Nginx Master Process

Responsible for reading and validating configuration files; creating, binding, and closing sockets; and managing worker processes. It performs administrative tasks and ensures that worker processes are properly configured and run efficiently.

Nginx Worker Process

Handle client requests by accepting connections, reading/writing data, and communicating with upstream servers

Nginx Proxy Cache

Stores copies of requested content, reduces backend server load, and speeds up response times by serving frequently accessed content directly from the cache memory. The Nginx cache quickly renders pages by retrieving them from the cache instead of the server.

Nginx Cache Loader

Loads cache metadata into memory at Nginx start-up, ensuring that the cache is ready to immediately serve requests. It scans the cache directories and initializes the in-memory cache structures.

Nginx Cache Manager

Periodically checks the cache for expired content and removes old or unused cache entries into free space

Nignx Web Server

Handles HTTP requests sent by clients, serving static content, and forwarding dynamic content requests to the application servers.

Nginx Application Server

Processes requests from clients by running server-side scripts or applications and delivers dynamic content to clients

Nginx Memcache

Serves as a caching layer that stores data in memory for the rapid retrieval of frequently accessed data

Domain Name System (DNS)

Resolves a domain name to its corresponding IP address

DNS server hijacking

The attacker compromises a DNS server and changes its mapping settings to redirect user's requests toward the attacker's rogue DNS server

Recursive DNS query

A method of requesting DNS mapping where the query goes through DNS servers recursively until it fails to find the specified domain name to IP address mapping

Recursive DNS Query Steps

Step 1: Users who desire to resolve a domain name to its corresponding IP address send a DNS query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP properties.

Steps 2-7: If the requested DNS mapping does not exist on the user's primary DNS server, the server forwards the request to the root server. The root server forwards the request to the .com namespace, where the user can find DNS mappings. This process repeats recursively until the DNS mapping is resolved.

Step 8: Ultimately, when the system finds the primary DNS server for the requested DNS mapping, it generates a cache for the IP address in the user's primary DNS server.

DNS Amplification Attack

Attacker exploits recursive DNS to perform a DDoS attack

DNS Amplification Attack Steps

Step 1: The attacker instructs compromised hosts (bots) to make DNS queries in the network.

Step 2: All the compromised hosts spoof the victim's IP address and send DNS query requests to the primary DNS server configured in the victim's TCP/IP settings.

Steps 3-8: If the requested DNS mapping does not exist on the victim's primary DNS server, the server forwards the requests to the root server. The root server forwards the request to the .com or respective top-level domain (TLD) namespaces. This process repeats recursively until the victim's primary DNS server resolves the DNS mapping request.

Step 9: After the primary DNS server finds the DNS mapping for the victim's request, it sends a DNS mapping response to the victim's IP address. This response goes to the victim because bots use the victim's IP address. The replies to copious DNS mapping requests from the bots result in DDoS on the victim's DNS server.

Directory Traversal

The exploitation of HTTP through which attackers can access restricted directories and execute commands outside the web server's root directory by manipulating a Uniform Resource Locator (URL)

Website Defacement

Refers to unauthorized changes made to the content of a single web page or an entire website, resulting in changes to the visual appearance of the web page or website

HTTP response-splitting attack

A web-based attack in which the attacker tricks the server by injecting new lines into response headers, along with arbitrary code

Web cache poisoning attack

An attacker swaps cached content for a random URL with infected content

HTTP/2 continuation flood attack

Involves exploiting the handling mechanism of HTTP/2 CONTINUATION frames to exhaust the target Apache server causing a DoS Attack

Front jacking

An attacker injects or manipulates the front-end components of a web application, such as scripts or HTML elements, to hijack a user interface or user interactions

Web Server Password Cracking Techniques

- Guessing

- Brute Force Attack

- Dictionary Attack

- Hybrid Attack

Guessing Password Attack

Attacker guesses possible passwords either manually or by using automated tools provided with dictionaries

Dictionary Password Attack

Uses a predefined file containing various combinations of words, and an automated program enters these words one at a time to check if any of them are the password

Brute Force Password Attack

All possible character combinations are tested

Hybrid Password Attack

Uses both a dictionary attack and brute-force attack

DoS/DDoS attack

Involves flooding targets with copious fake requests so that the target stops functioning and becomes unavailable to legitimate users

Man-in-the-Middle (MITM) Attack

Allows an attacker to access sensitive information by intercepting and altering communications between an end user and web servers

Phishing Attack

Attackers perform a phishing attack by sending an email containing a malicious link and tricking the user into clicking it. Clicking the link will redirect the user to a fake website that appears similar to the legitimate website.

Web Server Attack Methodology Stages

1. Information Gathering

2. Web Server Footprinting

3. Website Mirroring

4. Vulnerability Scanning

5. Session Hijacking

6. Web Server Password Hacking

Website Mirroring

Method of copying a website and its content onto another server for offline browsing

robots.txt file

A website owner creates a robots.txt file to list the files or directories a web crawler should index for providing search results.

Network Segmnetation

Divides a network into different segments, each having its own hub or switch

Domain Name System Security Extensions (DNSSEC)

Adds an extra layer to DNS that prevents it from being hacked

Patch

A small piece of software designed to fix problems, security vulnerabilities, and bugs as well as improve the usability or performance of a computer program or its supporting data

Software Vulnerability

A weakness of a software program that makes it susceptible to malware attacks

Hotfix

A package used to address a critical defect in a live environment and contains a fix for a single issue

Patch Management

An area of systems management that involves acquiring, testing, and installing multiple patches (code changes) in an administered computer system

Patch Management Steps

1. Detect

2. Asses

3. Acquire

4. Test

5. Deploy

6. Maintain

Manual Patch Installation

The user downloads the patch from the vendor and installs it

Automatic Patch Installation

Applications use an auto update feature to update themselves