Web Servers Hacking
Web Servers are very popular these days and we have almost all types of applications hosted on the Internet.
The Open source Webserver architecture comprises of the LAMP stack where the end user will be accessing the websites and application through Internet that are hosted on these web servers.
L: Linux: The Webserver’s Operating System
A: Apache: The web server component
M: MySQL: A relational Database
P: PHP: the application Layer
IIS Webserver Architecture, this is the webserver developed by Microsoft and can be used on MS Windows Operating Systems. IIS stands for Internet Information Service. This is the second most widely used and second largest webserver after Apache HTTP Webserver. IIS supports HTTP, HTTPS, SMTP, FTP, and NNTP.
How Web Server Works?
Files from webservers can be accessed and downloaded using HTTP and HTTPS (Hyper Text Transfer Protocol) and (Hyper Text Transfer Protocol Secure). HTTP is the protocol that works on the Application Layer of the TCP/IP stack. The webpages are created using the HTML i.e. Hypertext Markup Language. The webpages are then view able using a web browser on the client.
- Webserver Software Misconfigured: In most instances with Microsoft IIS the default website is kept enable which is one of the causes of being compromised. Since the permissions are open on the default website. Once IIS is installed it is important to change the permissions for the default user, IUSR_COMPUTERNAME
- Operating System bugs: the Operating system should be patched with the latest updates regularly to avoid any compromise done. You can have them patched manually or automatically.
- Application bugs or flaws in code: Make sure the application bugs are fixed and hot patched and hot fixes are released as and when any issue is observed or identified.
- Vulnerable default installation: The software setting and OS setting should never be left as default, for example the default admin name is “administrator” it should be changed to something else.
As webservers run on HTTP and HTTPS, they listen on TCP port 80 for http and port 443 for https. These ports must be open on the firewall for the client to communicate to the webserver. Web application sits on top of the webserver and can have their different ports for communication.
Banner grabbing is one of the steps when targeting a web server.
First you telnet to the IP address of the webserver, from the windows command prompt:
telnet < Webserver IP> 80
You can also use the URL instead of the webserver IP address. Here 80 is the port number. (HTTP: 80)
Once you login to the session, you type the below and press Enter:
Once you hit Enter the webserver banner will be shown on the CLI
Date: Wed, 2 Dec 2015 1:18:32 GMT
Content- Length: 340
With the help of this the webserver type is identified along with its version details. Based on this version the attacked which needs to be done can be identified. Since we know it’s an IIS server we also identify that the underlying Operating System is a Windows OS.
The next step would be to attack the webserver and then take control of the data on the webserver.
A very common type of attack done on websites is DEFACEMENT. With this an attacker or hacker would mainly focus on showing his hacking skills and increase his reputation rather than actually stealing data from the website.
In the Website Defacement process, the hacker would modify the website files and leave a mark on the homepage saying that this website is hacked. Mostly the hacker’s name or group name is shown along with some image. Something like below:
Windows IIS is a popularly used webserver and this also makes it a popular target for attackers. There are different types of attacks that can be launched against the Windows IIS webserver.
1. Directory Traversal: A client accessing a server will have limited access to certain directories. The Root directory on the webserver is the initial directory access by a client. This directory has the default or the index page along with other folders or files related to HTML. There can also be sub-directories that have other files, images or scripts which a normal user should not be allowed access to but using Directory Traversal attack access to these directories can be made.
This Directory traversal attack is also known as Unicode exploit. This compromise on the server is done due to not having the server patched with latest updates and thus the CGI scripts and ISAPI (Internet Server Application Programming Interface) like .asp.
2. Source Disclosure: This means that the source code of the application is accessible. If the code is identified the hacker can then identify the programming language, application type etc. Based on this many security holes can be identified and then exploited.
3. Buffer Overflow: These are not specific to webservers but also being carried out on other systems. Like the term overflow which mean sending more than it can take or handle, in buffer overflow more data is sent than what the application can handle.
This is a very crucial technique for mitigating risk of web servers and web applications being attacked. In this process the patches and hotfixes of different vendors are updated. The proper process would involve checking or verifying which patches need to be installed and also have these patches tested in a lab environment before testing them on a production box or environment.
It is a good practice to maintain the list of patches installed and have log files. These days there are many patch management tools that can help automate the patch management process.
Hardening webservers means increasing the security. The below methods can be used to harden the webserver.
- Use strong password and rename the administrator name. Renaming can be done from User manager and by right clicking the administrator name and rename it.
- Disable default FTP sites and other sites, this can be done by right clicking the default website and then choose Stop on the IIS Manager.
- Have unused applications removed from webservers. The Control Panel Add/ Remove Programs option can be used.
- Keep a legal notices or banner when someone logs into the Webserver, clearly mentioning the legal consequences of any malpractice or theft of identity and data.
- Have forms and query strings bound checked to make sure buffer overflow or malicious input cannot be provided.
- Do not allow administration to happen remotely, only administrators from within the Data center or DMZ can access the admin console.
- Have regular audits and logging done for the webserver
- Use a good firewall between the webserver and Internet so traffic coming in and count can be inspected by the firewall. Also keep only necessary ports open like HTTP port 80 and for HTTPS port 443.
Impact of Webserver Attacks
- User accounts compromised
- Data Tampering
- Deface Website
- Launch secondary attacks from the website
- Data Theft
- Gain root access to other application servers or applications
Webserver Hacking Tools
- ID Serve
- Brutus ( Password breaking)
Webserver attack using Mirroring website: With the help of some tools like HTTrack, WinWSD, WebCopier and Blackwidow, you can create the complete copy of the website offline and save in your directory. Thie sill copy all html pages, images etc. This downloads all the directories recursively. The attacker then goes through all the links and pages offline and prepares for the attack and once ready goes for the online attack.
Patch Management Tools
- Altris Client Management tool
- GFI LAN Guard
- VMWare vCenter Protect
- Prism Patch Manager
Countermeasures for Webserver hacking
Keep the webserver patched and updated with latest hotfixes
Keep a back-out plan in case you need to revert back to the old configuration
Test the patch in non-production before applying it in production
Keep service pack upgrades scheduled and done holistically
Block unnecessary ports
If using Telnet, FTP etc, make sure you use IP Sec to protect it
Disable WebDAV if it is not being used
Disable unused user accounts and access to database to all users
Use strong password policies
Eliminate unnecessary files within .jar files
Monitor and check web services log regularly