KEMBAR78
Web Hacking for Ethical Hackers | PDF | World Wide Web | Internet & Web
Scribd
Upload
597 views25 pages

Web Hacking for Ethical Hackers

This document discusses hacking web servers and applications, including how to scan servers to identify vulnerabilities, exploit weaknesses like SQL injection, and crack passwords. It covers the components of web infrastructure, tools for scanning servers and enumerating services, common attacks like XSS and CSRF, and how to identify and exploit vulnerabilities in databases. The objectives are to understand how to hack web servers, applications, and databases by scanning for issues, attacking authentication, and exploiting SQL vulnerabilities.

Uploaded by

Louise Real
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
597 views25 pages

Web Hacking for Ethical Hackers

This document discusses hacking web servers and applications, including how to scan servers to identify vulnerabilities, exploit weaknesses like SQL injection, and crack passwords. It covers the components of web infrastructure, tools for scanning servers and enumerating services, common attacks like XSS and CSRF, and how to identify and exploit vulnerabilities in databases. The objectives are to understand how to hack web servers, applications, and databases by scanning for issues, attacking authentication, and exploiting SQL vulnerabilities.

Uploaded by

Louise Real
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Certified Ethical Hacker

Lesson 5
Web Server Hacking, Web
Applications, and Database
Attacks
Lesson 6
Objectives

After reading this lesson you will be able to:


 Identify the components of a web infrastructure
 Explain how to scan web servers
 Know how to identify web server vulnerabilities
 Explain how web application hacking works
 Describe web-based authentication
 Describe web-based password cracking
techniques
 Be familiar with SQL vulnerabilities
Web Server Hacking
Web Server Hacking cont.

 HTML and HTTP are the standards that originally


defined web architecture.
 HTTP has four stages.
 Web attacks focus on
– Scanning
– Banner grabbing
– Attacking the web server
– Surveying the application
– Attacking authentication
– Exploiting the database
Scanning Web Server

 Common ports:
– 80 – HTTP
– 88 – Kerberos
– 8080 – Squid
– 8888 – Alternative web server
 Scanning tools:
– ID Serve
– ScanLine
– Super Scan
– Nmap
Using Nmap Scripts
 The -sC option enables the most common scripts, while running the –script option
enables you to specify the script. The –script option also takes comma-separated
values as arguments. The arguments specify which scripts will be executed upon
starting Nmap . Several examples are show here:
– nmap sV -O -p IP_address
– nmap -sV --script=http-enum IP_address
– nmap IP_address -p 80 --script = http-frontpage-login
– nmap --script http-passwd -- script-args http-passwd.root =/ IP_address
Banner Grabbing and
Enumeration
 Attacker tried to get additional information about the servers and
components.
 Popular web servers:
– IIS web server
– Apache web server
– Sun ONE web server
 Tools for enumeration and banner grabbing:
– Netcraft
– Telnet
– Netcat
– Wikto
– Black Widow
– Teleport Pro
– Wget
Web Server Vulnerability
Identification
 Perform this step after the vendor and version of the
web server is identified.
 Check sites that list known vulnerabilities:
– www.securityfocus.com
– www.packetstormsecurity.org
– http://nvd.nist.gov
– http://exploitdg.com
Attacks Against Web Servers
 IIS Vulnerabilities:
– Buffer overflow attacks:
• ISAPI DLL Buffer overflow attack:
– Discovered June 2001
– Affects Windows NT and 2000
– Targets idq.dll – runs as system and the attacker can escalate and add himself to the
Administrator group
• IPP Printer Overflow attack:
– Discovered 2001
– Affects Windows 2000 running IIS 5.0
• Metaspoil can be used to launch buffer overflow attacks
– Source disclosure attacks:
• Can be used to uncover passwords, web design, or business logic
• +.htr exploit
– File system traversal attacks:
• Unicode input validation attack
– DNS amplification attack
• Reflect large amounts of DNS traffic
DNS Amplification
Securing IIS

 Harden before deploying.


 Patch management:
– Use automated patch management tools:
• Windows Server Update Services
• Microsoft HotFix Checker
• GFI LANguard
 Disable unneeded services:
– Microsoft Baseline Security Analyzer
– IIS Lockdown
– SOAPUI
– Retina
 Lock down the file system:
– Use NTFS and enable file level security and encryption.
 Enable logging and auditing.
Web Application Attacks

 Invalidated input
– Input from client is not validated before processing.
 Parameter/form tampering
– Manipulation of the parameters passed between client and web
application
 Injection flaws
– Allows for untrusted data to be executed as valid
– SQL injection
– Command injection
– File injection
– LPAD injection
– XML injection
Web Application Attacks cont.

 Cross site scripting (XSS) and cross site request


forgery attack
– Gained popularity in recent years
– Depend on input that is not properly sanitized
 Cross site request forgery (CSRF)
 Hidden fields attack
– The attacker can modify hidden fields following
these three steps:
• Save page locally and open source code.
• Modify the amount and save the page.
• Refresh the local HTML page and click Add to Cart.
Cross-site Request Forgery
Input Validation
 Other security issues directly related to a lack of input validation include
– DoS: Any technique used to target availability in any way. For example, the
attacker might create a program to submit registration forms repeatedly until
all resources are exhausted.
– Session fixation: The attacker tricks the user into accessing a web server
using an explicated session ID value. This can be accomplished via a
clientside script, HTTP header response, or <META> tag.
• An example of the URL sent to the victim would appear as follows; notice
how the sessionid is passed: http://knowthetrade.com/<meta http-
equiv=Set-Cookie content="sessionid=abc123">
– Direct OS commands: The unauthorized execution of OS commands.
– SOAP injection: The attacker injects malicious query strings in user input
fields to bypass web services authentication.
Web-Based Authentication

 Four common types of authentication:


– Basic:
• Uses exclusive ORing (XOR)
• Weak form of encryption that can be compromised easily
– Message digest:
• Uses MD5 algorithm
– Certificate-based:
• Uses public key cryptography
– Forms-based:
• Uses cookies
Web-Based Password Cracking

 Three basic types of password attacks:


– Dictionary:
• Uses a dictionary list to crack the password
• Fast but successful only if a dictionary word were used as the password
– Hybrid:
• Uses a dictionary file but adds numbers or symbols to the dictionary words
– Brute force:
• Tries to crack the password by using every possible combination of
characters specified by the user
• Time-consuming
 Password cracking tools:
– WebCracker
– Brutus
– THC Hydra
Cookies

 Store information about user preference, usernames


and passwords, cart content, and so on.
 Tools to view cookies:
– CookieSpy
– Cookie Digger
URL Obfuscation

 Hiding addresses in URLs to bypass filters or other


defenses that block specific IP addresses
 Encodes the data so it cannot be easily viewed
 Common encoding schemes
– Hex
– HTML
– Base64
– Unicode
Intercepting Web Traffic

 Web Proxies:
– Allow attackers to attack and debug web
applications.
– Act as man-in–the–middle.
– Burp Proxy.
– Paros Proxy.
– OWASP ZAP.
OWASP ZAP
Database Overview

 Database types:
– Hierarchical database management systems
– Network database management systems
– Relational database management systems
– Object-oriented database management systems
Identifying SQL Servers

 Popular databases and ports:


– Oracle Net Listener – port 1579
– Microsoft SQL – port 1433
– MySQL – port 3306
 SQL injection:
– The attacker takes advantage of insecure code and
sends his SQL statements to the database.
– One of the most common attacks.
SQL Injection Vulnerabilities and
Hacking Tools
 Simple SQL injection
– Nonvalidated input
– Poor coding practices
 UNION SQL injection
– Uses the UNION command
 Error-based SQL injection
– Uses poorly constructed SQL statement to get error messages and table
names
 Blind SQL injection
– Unpatched systems
 Tools:
– SQLDict
– SQLExec
– SQLbf
– BSQL Hacker
– SQL2.exe
Lesson 5
Summary
 Explain web architecture.
 Know the tools used to scan web servers.
 Explain how to perform banner grabbing and
enumeration.
 Identify web servers vulnerabilities.
 Describe attacks against web servers.
 Describe common authentication types.
 Describe databases and SQL injection attacks.

You might also like