Web attacks must first identify what is present and offer the best mode of attack. Web attacks focus on the following:
- Scanning – Tools, such as Nmap and SuperScan, can be used.
- Banner grabbing – Identifies the server and version. Netcat and Telnet are useful here.
- Attacking the web server – The script kiddies’ dream would be to find unpatched servers or discover a recently discussed vulnerability that hasn’t been patched yet.
- Surveying the application – Because it’s more advanced than a direct web server attack, attacking the application could go unnoticed.
- Attacking authentication – Weak forms of authentication might allow the attacker to beat authentication or guess commonly used passwords.
- Exploiting the database – A tempting target for hackers looking to make a profit in identity or credit card theft.
Web browser send HTTP requests to the Web server. The firewall captures this traffic and, typically, concentrates on analyzing the communication parameters of the traffic. It checks the destination port, the source and destination IP addresses, and similar other attributes. However, a firewall’s weakness lies in its inability to verify the data portion (e.g., requests) of the communication consistently. This allows the request to appear legitimate to the firewall. When it arrives at the Web server, it is serviced normally. However, the request may be malicious and exploit a server vulnerability, producing undesired results.
Web Server Services
Web servers offer the following services:
File Transfer Protocol (FTP) Service
The Web server File Transfer Protocol (FTP) service can transfer any type of file between the Web server and an FTP client. The Web server FTP service handles concurrent access by multiple FTP clients. Each FTP client establishes a socket connection to the Web FTP service, and logs onto it. Web browsers hide the login process from the user.
FTP clients use a limited set of commands, and have restricted file access. The socket connection to the Internet Information Server FTP Service lasts until the FTP client disconnects. FTP is one of the earliest Internet TCP/IP protocols. Web browsers and other graphical interface applications have replaced early FTP client applications. Most FTP services do not provide descriptions of files. Browsing through directories is a slow process.
Gopher Service
The Internet Gopher is a tool for browsing through files and directories over the Internet. A Gopher client establishes a socket connection to a Web server Gopher service. Login is usually not required for a Gopher client.
A Gopher client displays a hierarchy of items and directories much like a file system, in a menu of text-labeled choices. It may be a list of files, subdirectories, or a combination of both. A Gopher client copies a selected file over the network and displays it.
The Gopher menu can point to files and directories on other Gopher servers on the Internet. It was the first Internet service to offer such a feature.
The Internet Gopher has limited graphical presentation abilities. It cannot present graphics and text together. The Internet Gopher and HTTP are similar network protocols. They became available at about the same time. Most new Internet sites do not offer Gopher services.
World Wide Web (WWW) Service
Web browsers processing HTML documents use Internet HTTP protocol to transact with World Wide Web (WWW) Service. Web Server WWW Service knows how to respond to an HTML request by analyzing URL fields.
- Static HTML Page – WWW Service looks for a file name in the path field. An example is: http://www.infomax.com/welcome.htm
- CGI Application – WWW Service looks for a file name in the path field with a file extension that has been associated with an application. An example is: http://www.infomax.com/cgiapps/gcidoit.pl
The HyperText Transmission Protocol is a stateless protocol designed to process a single transaction during a connection to a server. It is layered on the TCP and IP protocols. There are four steps during a single HTTP transaction:
- Connection – The HTTP client establishes a socket connection to the Web WWW service.
- Request – The HTTP client sends a request to the Web WWW service. The request contains the type of HTTP service request and other information.
- Response – The Web WWW service sends a response back to the HTTP client. The response contains the state of the transaction and the data requested.
- Disconnection – The Web WWW service signals the end of the transaction by closing the socket connection.
A Web browser makes a connection to a Web server WWW service for each file that is a part of the HTML document. It makes a connection for the HTML text file first. The WWW server disconnects after sending it. The Web browser parses the returned text file looking for graphical image file names. It then makes a connection to the Web server and requests a single graphical image file. The Web server disconnects after sending it. This process repeats for each graphical file. HTTP is the most used Internet protocol. It accounts for about 25 percent of Internet packets. FTP Internet protocol is second. It accounts for about 15 percent of Internet packets.
Scanning Web Servers
You cannot attack what you don’t know exists. Therefore, after you have a target range of IP addresses, you will want to look for web services. Although standard web servers run on port 80 or 443, other ports should be scanned when you look for web-based applications. These include the following
Port | Service |
80 | HTTP |
88 | Kerberos |
8080 | Squid |
8888 | Alternate Web Server |
The tools used to scan for these services are ScanLine, SuperScan and Nmap.
Banner Grabbing and Enumeration
After possible web servers have been identified, the attacker usually attempts to enumerate additional details about the server and its components. Popular web servers include IIS Web Server and Apache Web Server. A great tool used for enumeration which require no install is available at www.netcraft.com. Netcraft runs a great service called “What’s this site running,” which gathers details about web servers. Tools like Telnet and Netcat, can also identify the web server.
Just telnet to the site and watch for the results
C:\>telnet www.examcram.com 80
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 28 Nov 2005 06:08:17 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head><body>
The parameter is incorrect. </body>
</html>
Connection to host lost.
Netcat can also identify the web server as
- Create a text file called head.txt.
GET HEAD / 1.0
CR
CR
- Run Netcat with the following parameters, as
nc -vv webserver 80 < head.txt
- Watch the results:
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Tue, 29 Nov 2005 04:12:01 GMT
Content-Type: text/html
Content-Length: 91
<html><head><title>Error</title></head><body>
The parameter is incorrect. </body>
</html>
Connection to host lost.
An open source application called Wikto is an extended version of Nikto. It was developed at Sensepost and can be downloaded at www.sensepost.com/research/wikto. This tool is great because it can thoroughly examine web servers and probe for vulnerabilities.
Site rippers are a good way to make a duplicate of the website that has been handily stored on your hard drive. These programs allow you to go through the site a page at a time and examine the HTML code to look for useful information. Some tools are
- Black Widow A Windows website scanner and site ripper. Use it to scan a site and create a complete profile of the site’s structure, files, email addresses, external links, and even link errors.
- Wget A command-line tool for Windows and UNIX that will download the contents of a website, an open source site ripper, and duplicator.
Web Server Vulnerability Identification
After identifying the vendor and version of the web server, search for vulnerabilities. As an example, if the product were identified to be Microsoft IIS 6.0, it was released with Windows 2003; or if it were Microsoft IIS 5.0, it was released with Windows 2000. With this information in hand, the attacker would simply troll some of the websites that list vulnerabilities. Some of the sites the attacker and security administrators would most likely visit to identify possible vulnerabilities include
- securityfocus.com
- packetstormsecurity.org/
- http://nvd.nist.gov
Web Server Attacks
Various web server attacks are
Buffer Overflow Attacks
Buffer overflow vulnerabilities stem from problems in string handling. Whenever a computer program tries copying a string or buffer into a buffer that is smaller than itself, an overflow is sometimes caused. If the destination buffer is overflowed sufficiently it will overwrite various crucial system data. In most situations an attacker can leverage this to takeover a specific program’s process, thereby acquiring the privileges that process or program has.
The ISAPI DLL Buffer Overflow attack was originally discovered in June 2001. It affects Windows NT and 2000. The exploit targets idq.dll. When executed, this attack can lead to a buffer overflow that can compromise servers running IIS. What makes this vulnerability particularly malicious is that the service, part of IIS Indexing, does not even need to be actively running. Because idq.dll runs as system, the attacker can easily escalate his privilege and add himself to the administrator’s group. The IPP Printer Overflow attack was discovered in 2001 and affects Windows 2000 systems running IIS 5.0. It is a buffer overflow attack, and it also targets the ISAPI filter (mws3ptr.dll) that handles .printer files. If the buffer is sent with at least 420 characters, it will overflow and might potentially return a command prompt to the attacker. Several tools are available to exploit this vulnerability, including IIs5hack and jill-win32. These exploits insert shell code to shovel a shell back to the listener on the attacker’s system.
Parser Evasion Attacks
Insecure string parsing can allow attackers to remotely execute commands on the machine running the Web server. If the CGI script or Web server feature does not check for various characters in a string, an attacker can append commands to a normal value and have the commands executed on the vulnerable server.
Directory Traversal Attacks
In certain situations, various characters and symbols can be used to break out of the Web server’s root directory and access files on the rest of the file system. By checking for these characters and only allowing certain directories to be accessed, directory traversal attacks are prevented.
General Exploitation
Buffer overflows, format bugs, parser problems, and various other attacks will contain similar data. Exploits that execute a command shell will almost always have the string “cmd.exe” in the exploiting data. By checking for common attacker “payloads” involved with these exploits, we can prevent an attacker from gaining unauthorized access to your Web server and its data.
Source disclosure attack
This type of attack can uncover passwords, web design, or business logic. One example of this is the +.htr exploit. Because of vulnerabilities in the ISM.dll, IIS4 and IIS5 can be made to disclose source data, rather than executing it. An attacker accomplishes this by appending +.htr to the global.asa file; Netcat can help exploit this vulnerability
Directory or File system traversal attack
A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs.
The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.
Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.
Denial of Service or DoS
A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
As clarification, distributed denial-of-service attacks are sent by two or more people, or bots, and denial-of-service attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.
A wide array of programs are used to launch DoS-attacks. Most of these programs are completely focused on performing DoS-attacks, while others are also true packet injectors, able to perform other tasks as well. Such tools are intended for benign use, but they can also be used in launching attacks on victim networks. Freely available automated tools like HOIC and LOIC are intended for DOS attack.
Cache Poisoning
Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server’s domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or other malware can be downloaded to the user’s computer from the rogue location.
The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although only the user of the local browser instance will be affected.
To successfully carry out such an attack, an attacker:
- Finds the vulnerable service code, which allows them to fill the HTTP header field with many headers.
- Forces the cache server to flush its actual cache content, which we want to be cached by the servers.
- Sends a specially crafted request, which will be stored in cache.
- Sends the next request. The previously injected content stored in cache will be the response to this request.
This attack is rather difficult to carry out in a real environment. The list of conditions is long and hard to accomplish by the attacker. However it’s easier to use this technique than Cross-User Defacement.
A Cache Poisoning attack is possible because of HTTP Response Splitting and flaws in the web application. It is crucial from the attacker’s point of view that the application allows for filling the header field with more than one header using CR (Carrige Return) and LF (Line Feed) characters.
Variants
- Redirect the target domain’s nameserver – The first variant of DNS cache poisoning involves redirecting the nameserver of the attacker’s domain to the nameserver of the target domain, then assigning that nameserver an IP address specified by the attacker. DNS server’s request: what are the address records for subdomain.attacker.example?
- Redirect the NS record to another target domain – The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker.DNS server’s request: what are the address records for subdomain.attacker.example?
FTP Attacks
The FTP protocol not only allows you to transfer files from an ftp server to your machine but from one ftp server to another ftp server directly.
PASV Versus ACTIVE
The FTP protocol actually uses two channels for communications: a control channel and a data channel. The control channel uses tcp port 21. Clients connect to it from a local port (on Windows for example this is between 1024 and ~5000 or so) and then send and receive information. When you request a file it is sent over the data channel which can behave in one of two ways.
With active ftp, the client specifies to the server how the transfer will be done. The client chooses a local port and tells the server to send data to it. The server initiates a connection from port 20 to the client and sends the data. The problems with this are numerous; the primary one being the firewalls must allow incoming connections from port 20 to a large selection of ports on internal machines. This allows attackers to easily scan internal machines by initiating connections from port 20.
With passive mode ftp the client asks the server for a file and the server specifies how the transfer will be done. The server chooses a port (typically 1024 to ~5000, incremented by one for each new connection) and then tells the client to connect to that port and receive the file. This has one major advantage over active mode ftp: since the client initiates the connection you do not need to put holes in your firewall to allow incoming connections. There is, however a major disadvantage as well.
FTP Bounce Attack
FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request. This technique can be used to port scan hosts discreetly, and to access specific ports that the attacker cannot access through a direct connection, for example with the nmap port scanner. Nearly all modern FTP server programs are configured by default to refuse PORT commands that would connect to any host but the originating host, thwarting FTP bounce attacks.
Other common problems include misconfigured FTP servers that allow for people to upload and download files from the same directory, thus turning your ftp server into a global /tmp directory for people to share data with each other (usually “warez”). This, of course, ignores all the root hacks that have been found over the years in various ftp daemons (including OpenBSD’s).
E-mail Attacks
Malware Distribution
Hackers with malicious intent can exploit your email client by distributing malware through email messages. The malware includes viruses, worms, rootkits, Trojans, keyloggers, spyware, and adware, to name a few types. The malware is distributed via an email attachment or sometimes by simply opening an email message. More often than not, the mail message is disguised as a message from someone you know when in reality; it is sent by the hacker.
Phishing Attack
A phishing attack is generally not hazardous to the inner workings of your PC however; it is designed to trick you into revealing your personal information, passwords, or bank account information. For example, if you use PayPal, the phisher sends you a message that looks like it came from PayPal. The message requests you to verify your account information with PayPal to continue using your account. The message proceeds to tell you that if you do not verify the information your account will be closed. Someone that is unaware of phishing scams easily gets tricked into revealing their account information. These types of messages are set up to look like the real deal.
Spam Attack
Spam is unsolicited email or “junk” mail that you receive in your Inbox. Spam generally contains advertisements but it can also contain malicious files. When you click on spam, the files are downloaded into your email client and into your PC. The same thing can happen if you reply to spam in an attempt to get removed from the list.
If your mail server is configured to allow relaying of spam (by permitting unauthenticated mail to be relayed), not only does it place a burden on your mail server having to deliver all that additional email, but it could blacklist your domain. Blacklisting is exactly what it sounds like. Most modern mail servers use several anti-spam controls.
Denial of Service Attack or Mail Bombing
A denial of service attack occurs when the hacker sends multitudes of email messages to your email client in an effort to block you from using your email client or crashing your computer altogether. In the case of an organization, a denial of service attack on email can crash an entire network and prevent the users from responding to legitimate traffic.
Attacker targets email system by sending overly large email messages to users such as postmaster or Webmaster. This not only affects your Internet connection bandwidth, but also your mail server’s capability to handle other email. An attack such as this could easily fill up your mail server’s mail store drive, preventing you from sending or receiving new email.
Telnet Attacks
Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Through Telnet, an administrator or another user can access someone else’s computer remotely. On the Web, HTTP and FTP protocols allow you to request specific files from remote computers, but not to actually be logged on as a user of that computer. With Telnet, you log on as a regular user with whatever privileges you may have been granted to the specific application and data on that computer.
A Telnet command request looks like this (the computer name is made-up):
telnet the.libraryat.whatis.edu
The result of this request would be an invitation to log on with a userid and a prompt for a password. If accepted, you would be logged on like any user who used this computer every day.
Telnet attacks are
- Telnet communication sniffing
- Telnet brute force attack
- Telnet DoS – Denial of Service
Telnet communication sniffing
This article is all about telnet and attacks that are mostly directed to his functionality. The biggest security issue in telnet protocol is surely lack od encryption. Every communication from remote device to networking device that we are configuring is sent in plain text. Of course, that is big security issue and in situations where we use telnet we are making our command vulnerable to frame sniffing. Attacker can easily se what are we configuring on that device and furthermore he can se the password that we have used to connect to device and enter configuration mode.
For this reason today the telnet is used only in closed lab environments because it is simpler to configure telnet that SSH. In all other environments SSH is these days used as default. By using SSH instead of telnet we have in a way solved the biggest security issue but this doesn’t mean that we must not speak about other attacks that can be used to compromise telnet.
Telnet brute force attack
Telnet protocol can be used by an attacker to gain remote access to a network switch or other vendors to of course. If we configure a login password for the vty lines and set the lines to require password authentication to have permission to access the switch we are still not secure. This vty password on the telnet lines provides only an essential and basic level of security to help protect the switch from unauthorized access. However, it is not a secure method of securing access to the vty lines. There are a lot of tools available that are able to launch a brute force password cracking attack against the vty lines on the switch.
DoS Attack
Another type of Telnet attack is the DoS – denial of service attack. DoS attacks in general is simply a way to disrupt the communication of two network devices by using all the bandwidth that they connection has to offer. To do so attacker sends many not useful and irrelevant data frames and in this manner suffocate the connection. The genuine communication will not be able to get across this connection and will not function. This sort of attack can be also used to prevent network administrators to telnet into their devices.
Securing Server
Securing server requires applying some defense in depth techniques. Few good defenses are
Harden before you deploy
Ensure that the network is safe and protected. It is recommended practice to have the server fully hardened before you plug it into the network
Patch management
Security patches and updates are critical to ensuring that the operating system and IIS are running with the latest files and fixes. An un-patched server can suffer a multitude of attacks that target well-known exploits and vulnerabilities.
Disable unneeded services
Operating system has a variety of services that can run in the background to provide continuous functionality or features to the operating system.
Lock down the file system
Enable file-level security, it will allow full access control at the folder and/or file levels. File-level security is the last level of access control before a request is fulfilled by the operating system.
Logging and auditing
Auditing allows you to understand and detect any unusual activity. Although auditing is not a preventative measure, it will provide valuable information about the access activity on server. Logging can provide you with details such as when, where, and how the access occurred and whether the request was successfully processed or rejected by the server.