ECE 4893: Internetwork Security Lab 12: Web Security



Similar documents
Vulnerability Assessment Lab

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

DSI File Server Client Documentation

Running a Default Vulnerability Scan

Training module 2 Installing VMware View

Kaseya Server Instal ation User Guide June 6, 2008

How To Export Data From Exchange To A Mailbox On A Pc Or Macintosh (For Free) With A Gpl Or Ipa (For A Free) Or Ipo (For Cheap) With An Outlook 2003 Or Outlook 2007 (For An Ub

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

RecoveryVault Express Client User Manual

Online Backup Client User Manual

WhatsUp Gold v16.3 Installation and Configuration Guide

1. Product Information

Online Backup Linux Client User Manual

Online Backup Client User Manual Linux

Online Backup Client User Manual

Customer Tips. Xerox Network Scanning TWAIN Configuration for the WorkCentre 7328/7335/7345. for the user. Purpose. Background

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Cisco SSL Encryption Utility

Patch Management. Module VMware Inc. All rights reserved

Running a Default Vulnerability Scan SAINTcorporation.com

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

PageScope Enterprise Suite

Livezilla How to Install on Shared Hosting By: Jon Manning

EVALUATION ONLY. WA2088 WebSphere Application Server 8.5 Administration on Windows. Student Labs. Web Age Solutions Inc.

2X Cloud Portal v10.5

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Vulnerability analysis

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

Network and Host-based Vulnerability Assessment

Chapter 2 Editor s Note:

IUCLID 5 Guidance and Support

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Administrator Manual

(WAPT) Web Application Penetration Testing

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Lab 9: Pen Testing (NESSUS)

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Connecting to Pitt s SRemote VPN Using Windows Vista / Windows 7 January 2012

Opacus Outlook Addin v3.x User Guide

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Omniquad Exchange Archiving

SYWorks Vulnerable Web Applications Compilation For Penetration Testing Installation Guide

NAS 225 Introduction to FTP Explorer

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

Web Security School Final Exam

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Lab Configuring Access Policies and DMZ Settings

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

Desktop Sync is recommended for use only by teachers and other staff members in schools, not by students.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Kaseya 2. Installation guide. Version 7.0. English

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Using Internet or Windows Explorer to Upload Your Site

Installing and Configuring Microsoft Dynamics Outlook Plugin to Use with ipipeline MS CRM

MadCap Software. Upgrading Guide. Pulse

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

ez Agent Administrator s Guide

Setting Up Scan to SMB on TaskALFA series MFP s.

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

TransNav Management System Documentation. Management Server Guide

Advanced Web Security, Lab

Ethical Hacking as a Professional Penetration Testing Technique

Vulnerability Remediation Plugin Guide

Introduction to Nessus by Harry Anderson last updated October 28, 2003

Central Administration User Guide

OutDisk 4.0 FTP FTP for Users using Microsoft Windows and/or Microsoft Outlook. 5/1/ Encryptomatic LLC

Installing and Configuring Nessus by Nitesh Dhanjani

FileMaker Server 15. Getting Started Guide

Manual Password Depot Server 8

Campus VPN. Version 1.0 September 22, 2008

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

IDS and Penetration Testing Lab ISA656 (Attacker)

CC File Transfer. User Manual

Bitrix Site Manager ASP.NET. Installation Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Managing your accounts

An Insight into Cookie Security

Mediasite EX server deployment guide

WS_FTP Professional 12 and WS_FTP Home 12. Getting Started Guide

Installation Guide for AmiRNA and WMD3 Release 3.1

SECURE Web Gateway. HTTPS/SSL Technical FAQ. Version 1.1. Date 04/10/12

1. Installation Overview

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

HP WebInspect Tutorial

Proteome Discoverer Version 1.4

NAS 253 Introduction to Backup Plan

Web Browsing Examples. How Web Browsing and HTTP Works

Massey University Follow Me Printer Setup for Linux systems

USING STUFFIT DELUXE THE STUFFIT START PAGE CREATING ARCHIVES (COMPRESSED FILES)

8.7. NET SatisFAXtion Gateway Installation Guide. For NET SatisFAXtion 8.7. Contents

Talk Internet User Guides Controlgate Administrative User Guide

Look for the 'BAERCOM Instruction Manual' link in Blue very near the bottom.

Advanced Event Viewer Manual

Xerox 700 Digital Color Press with Integrated Fiery Color Server. Utilities

Transcription:

Group Number: Member Names: ECE 4893: Internetwork Security Lab 12: Web Security Date: April 6, 2004 Date Due: April 13, 2004 Last Revised: April 2, 2004 Written by: Tom Bean and Valerio Oricchio Goal: The goal of this lab is to setup an Apache Web server with third-party modules, and exploit some vulnerabilities using various tools. This lab s focus will in be web server hacking. Web server hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself (or one of its add-on components). These vulnerabilities are typically publicized and are easy to detect and attack. An attacker with the right set of tools and ready-made exploits can bring down a vulnerable web server in minutes. For this reason, it is crucial for web administrators to always patch their web server and related software. Copy the files from the Lab12 Folder on the NAS to the various machines On the Redhat 8.0 host machine: # mkdir /root/lab12 # cp -rf /mnt/nas4893/lab12/rh8.0/* /root/lab12 On the Windows XP virtual machine: Create a folder called lab12 on the desktop. Copy the contents of the Windows directory of Lab12 on the NAS, to this folder. For this lab we will be accessing an Apache web server on the Mininet. The address is 138.210.238.42 and the domain name is www.cc.gatech.edu. Exercise 1: Web Security Utilities Some of the following utilities will need SSL support so first and foremost, install OpenSSL on the Redhat 8.0 host: # cd /root/lab12 # tar xvfz openssl-0.9.6j.tar.gz 1

# cd openssl-0.9.6j #./config -shared --prefix=/usr/local/ssl -fpic # make # make test # make install Now the utilities we install can use the SSL libraries. WGET When targeting a web server, a serious hacker would study its content thoroughly. This might involve downloading its entire content for offline examining at his leisure. Doing this manually would be very tedious and tiresome, so luckily there are some useful tools readily available that would automate this process. WGET is a free software package for retrieving files using HTTP, HTTPS, and FTP. It can be downloaded from http://www.gnu.org/software/wget/wget.html. To install wget: On the Redhat 8.0 physical machine, change to the utilities folder: # cd /root/lab12/utilities Now build wget: # tar xvfz wget-1.9.1.tar.gz # cd wget-1.9.1 #./configure prefix=/usr/local/wget --with-ssl # make # make install To use wget to download a complete website, do the following: # mkdir /root/lab12/downloaded # wget -P /root/lab12/downloaded -m http://138.210.238.42 This transfers data to the folder /root/lab12/downloaded. Q1.1 What data is transferred to this folder? Q1.2 Why would this information be useful to attackers? 2

httpdtype and user discovery Apache web servers, by default, are setup in a way that makes it easy for attackers to determine the type of web server is running, what additional modules are built into Apache, and what user accounts are present on the server. The first simple utility we will look at is a program called httpdtype. It is available from http://packetstormsecurity.nl in a package named apscan2.tgz. The other utilities in this package are not useful for our purposes and will not be discussed. On your Redhat 8.0 physical machine: # cd /root/lab12/utilities # tar xvfz apscan2.tgz The other utilities are extracted as well but can be ignored. Now, type: #./httpdtype 138.210.238.42 Q1.3 What is the output? Another useful utility takes advantage of a bug in the Apache software, when run on a Redhat machine, that makes user discovery quite easy. If you try to access an existing users folder on an Apache server using a ~, the server will respond with a 403 error message, indicating Forbidden, since that particular user has not set the appropriate permissions for their folder. If you were to try to access a non-existent user in the same manor, the server would respond with a 404 message indicating Not Found. Since that user doesn't exist. Open up a web browser on your Redhat 8.0 physical machine, and type the following URL http://138.210.238.42/~root and observe the results. Now try http://138.210.238.42/~rooty [this lab assumes there is not a user called rooty ] Observe these results. As can be seen, this is a very easy method to determine what user accounts are on a particular server. C code included on NAS, named arse.c, which is short for Apache 3

and Redhat Security Exploit, will automate this process. This code can also be obtained from http://packetstormsecurity.nl. You have already downloaded arse.c, now we will compile it on the Redhat 8.0 physical machine: # cd /root/lab12/utilities # gcc -o arse arse.c Now run arse in the following manor: #./arse 138.210.238.42 80 names.txt [ names.txt contains various user names] This will check server 138.210.238.42, use port 80 (http), and check user names in names.txt. Q1.4 What user names were found? Now we know what user accounts are on the server, information that is very useful to an attacker. One very good use of this information will be shown following, where we exploit a flaw in the basic authentication system that web servers use. 3. Cracking basic auth Most web servers have information on them that is only intended for a certain user or a certain group of users. To prevent access to this information by unauthorized individuals, web servers can use basic authentication, the simplest method of authentication. For a long time this was the most common authentication method used by all web servers on the Internet and is still the primary form of access protection used by many. We have setup a private folder on our web server. Attempt to browse to: http://138.210.238.42/private/ and see that an authentication prompt comes up. [Note: a / is required after private above] This page is only available to two users with passwords. A bug exists in basic auth that sets no limits on the amount of simultaneous connections and number of authentication attempts permitted. This makes the process of brute-forcing your way into a secured folder or file much easier. Also, since we already know what users exist on the system (from our arse output), we will only test passwords for those particular users. Note that the users for this directory may not necessarily match system users, which is 4

what we determined earlier, however, chances are very good that they usually will. A really good brute-forcer for the Win32 environment is Brutus, available at: http://www.hoobie.net/brutus/ As specified on the website: Brutus has support for the following authentication types: HTTP (Basic Authentication) HTTP (HTML Form/CGI) POP3 FTP SMB Telnet Other types (must be imported) The current release includes the following functionality : Multi-stage authentication engine 60 simultaneous target connections No user name, single user name and multiple user name modes Password list, combo (user/password) list and configurable brute force modes Highly customisable authentication sequences Load and resume position Import and Export custom authentication types as BAD files seamlessly SOCKS proxy support for all authentication types User and password list generation and manipulation functionality HTML Form interpretation for HTML Form/CGI authentication types Error handling and recovery capability inc. resume after crash/failure. As you can see, Brutus can be very useful for cracking passwords with a large number of protocols. Install Brutus on your Windows XP Virtual Machine: Create a new folder on the desktop called Brutus Open the lab12 folder on the desktop and double-click on the Brutus zip file. Extract all files to the Brutus folder. Now, copy the names.txt (same file used with arse) from the lab12 folder to the Brutus folder. Now run BrutusA2.exe. For Target specify: www.cc.gatech.edu/private/ for Type : HTTP (Basic Auth) Under Authentication Options: Check Use Username For Pass Mode : Word List For User File : names.txt 5

For Pass File : words.txt Now click the Start Button Q1.5 Are the passwords for the two users able to be cracked and if so, what are the users and passwords and how long did it take? Brutus is also very useful in the fact that it can also brute-force passwords. If you want to try this, change Pass Mode to Brute Force and click Start. Warning: If you don't set the Range settings to something close to the passwords you are attempting to crack, you could literally be waiting for centuries. Play around with the Brute Force Range options to get an idea about what takes the longest. Q1.6 What types of passwords would be easiest to crack? Which would be hardest? Why? Now, if you want play around with the many other features in Brutus to get a feel for what all can be accomplished with this software. Exercise 2: Vulnerability Scanning Several tools are available to automate the process of parsing web servers for the numerous exploits that are continuously found in the hacking community. Commonly called vulnerability scanners, these types of tools will scan for dozens of well-known vulnerabilities. Attackers can then use there time more efficiently in exploiting the vulnerabilities found by the tools. In this lab, we'll use one of the more popular scanners called Nikto. It can obtained from: http://www.cirt.net/code/nikto.shtml. 6

The description on the website states: Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/cgis, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). We will install and use Nikto to see what we find. Since Nikto is a Perl script, it requires the Perl module Net::SSLeay for it to have HTTPS support. That module can be obtained from: http://www.cpan.org/authors/id/s/sa/sampo/net_ssleay.pm-1.25.tar.gz. We will now install Nikto and the Net::SSLeay module. On your Redhat 8.0 physical machine: # cd /root/lab12 # tar xvfz Net_SSLeay.pm-1.25.tar.gz # cd Net_SSLeay.pm-1.25 #./Makefile.PL # make install # cd.. # tar xvfz nikto-current.tar.gz # cd nikto-1.32 #./nikto.pl This will display Nikto's large variety of command-line options. For more detailed descriptions consult the nikto-usage.txt file in the /docs folder. To test the vulnerabilities on our web server type: #./nikto.pl -h 138.210.238.42 -p 80,443 > outfile.txt This will scan the web server on our Redhat 7.2 Virtual Machine on port 80 (http) and port 443 (https). The > outfile.txt will output to the file what would normally be displayed to the screen. Open outfile.txt in your favorite text editor to observe what is found. Attach a printout of this file. Q2.1 How can this information be used to a hacker's advantage? 7

If you are wondering what reflection will be made on the server in terms of logs files, etc. we have included an access log from the server after being subjected to the same attacks. On your RH8.0 machine it is /root/lab12/access_logs. Open this with a test editor (it is a large file) and look at the contents. Q2.2 Is it apparent that a scanner (in our case, Nikto) was run and if so how can you tell? What about Brutus? How long did it take you to complete this lab? Was it an appropriate length lab? What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make corrections/suggestions. Note that part of your lab grade is what improvements you make to this lab. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information