Learn Ethical Hacking & get free Hacking Tools

9 views
Skip to first unread message

Learn Ethical Hacking & Get free hacking tools and softwares

unread,
Aug 15, 2009, 12:06:14 AM8/15/09
to Meet...@googlegroups.com

Learn Ethical Hacking & get free Hacking Tools

Link to Learn Ethical Hacking & Get free hacking tools and softwares

IIS Components

Posted: 14 Aug 2009 08:37 AM PDT

IIS Components

  • IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities.

  • Example: Server side scripting, Content Indexing, Web Based printing etc.

  • This architecture provides attackers with different functionality to exploit via malicious input.

IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities. Example: Server side scripting, Content Indexing, Web Based printing etc. This architecture provides attackers with different functionality to exploit via malicious input. On a IIS Web server with no service packs or hot fixes applied, there are way too many ways that a command shell can be invoked through inetinfo.exe, the IIS process. Yet, there is no reason for inetinfo.exe to be invoking a shell.

IIS consists of several components. These include:

  • Background Intelligent Transfer Service (BITS) server extension: BITS is a background file transfer mechanism used by applications such as Windows Updates and Automatic Updates.

  • Common Files: On a dedicated Web server, these files are required by IIS and must always be enabled.

  • File Transfer Protocol (FTP) Service: Allows the Web server to provide FTP services. This component is not required on a dedicated Web server. However, this may be enabled on a server that is only used for posting content, to support software such as Microsoft FrontPage® 2002 without enabling FrontPage 2002 Server Extensions. Because the FTP credentials are always sent in plaintext, it is recommended to connect to FTP servers through a secured connection, such as those provided by IPSec or a VPN tunnel.

  • FrontPage 2002 Server Extensions: Provides FrontPage support for administering and publishing Web sites. On a dedicated Web server, this must be disabled when no Web sites are using FrontPage Server Extensions.

  • Internet Information Services Manager: Administrative interface for IIS. This is to be disabled when the Web server is not administered locally.

  • Internet Printing: Provides Web-based printer management and allows printers to be shared by using HTTP. This component is usually not required on a dedicated Web server.

  • NNTP Service: Distributes, queries, retrieves, and posts Usenet news articles on the Internet. This component is not required on a dedicated Web server.

  • SMTP Service: Supports the transfer of electronic mail. This component is not required on a dedicated Web server.

  • World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server. If this component is not enabled, then all subcomponents are not enabled.

    • Active Server Pages: Provides support for Active Server Pages (ASP). Disable this component if none of the Web sites or applications on the Web server uses ASP.

    • Internet Data Connector: Provides support for dynamic content provided through files with .idc extensions.

    • Disable this component if none of the Web sites or applications on the Web server includes files with .idc extensions.

    • Remote Administration (HTML): Provides an HTML interface for administering IIS. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

    • Remote Desktop Web Connection: Includes Microsoft ActiveX® controls and sample pages for hosting Terminal Services client connections. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

    • Server-Side Includes: Provides support for .shtm, .shtml, and .stm files. Disable this component if none of the Web sites or applications on the Web server includes files with these extensions.

    • WebDav Publishing: Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Disable this component on a dedicated Web server.

    • World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server.

ISAPI DLL Buffer Overflows

  • One of the most extreme security vulnerabilities associated with ISAPI DLLs is the buffer overflow.

  • In 2001, IIS servers were ravaged by versions of the Code Red and Nimda worms which were both based on buffer overflow exploits.

ISAPI - Introduction

Internet Server Application Programming Interface (ISAPI) is an API developed to provide the application developers with a powerful way to extend the functionality of Internet Information Server (IIS). ISAPI allows web developers to develop custom code that provides additional web services. This custom code can either be implemented in an ISAPI filter, if the new functionality provides a low-level service, or conversely an ISAPI extension, if the new functionality provides a high-level service. Although ISAPI extensions are not limited to IIS, they are extensively used in conjunction with web servers.

---Regards,
Amarjit Singh
---Regards, Amarjit Singh

Attacks against IIS

Posted: 14 Aug 2009 08:35 AM PDT

Attacks against IIS

  • IIS is one of the most widely used Web server platforms on the Internet.

  • Microsoft's Web Server has been the frequent target over the years.

  • It has been attacked by various vulnerabilities. Examples include:

    1. ::$DATA vulnerability

    2. showcode.asp vulnerability

    3. Piggy backing vulnerability

    4. Privilege command execution

    5. Buffer Overflow exploits (IIShack.exe)

Let us look at some of the technology that forms the basis of web applications.

Simple HTML could not contribute much to the dynamic nature of interaction on the web. Therefore, dynamic capabilities were added by using Common Gateway Interface (CGI) applications. These applications ran on the server and generated dynamic content tailored to each request. This capability to process input and generate pages in real time greatly expanded the functional potential of a Web application.

However, as CGI programs were both discrete and resource intensive with each HTTP request, Microsoft introduced two distinct technologies to serve as the basis for Web applications: Active Server Pages (ASP) and the Internet Server Application Programming Interface (ISAPI).

ASP scripts are usually written in a human-readable scripting language like Visual Basic, and Microsoft asserts that the technology is largely language-neutral. The ASP interpreter is implemented as an ISAPI DLL.

ISAPI on the other hand is much less visible to end users. Quite naturally, Microsoft uses many ISAPI DLLs to extend IIS itself. ISAPI DLLs are binary files that are not exactly human-readable or given to human interpretation. However, if the user knows the name of an ISAPI DLL, it can be called via HTTP. They are capable of running inside or outside the IIS process (inetinfo.exe) and, once instantiated remain resident; thereby reducing the overhead of spawning a new process for a CGI executable to service each request.




Internet Information Services (IIS) has been consistently targeted for attacks. Server administrators have been overwhelmed by more than 100 vulnerabilities discovered in IIS web servers in just the last few years alone. It has been seen that when a web server is attacked, the attacker usually tries to run certain commands or access certain files.

For instance, one popular command that an attacker is likely to run during the course of the attack is cmd.exe. Another file that is likely to be of interest to an attacker on IIS is global.asa, which often contains passwords or other sensitive information. Previously, many exploits on IIS have involved traversing directories, viewing server-side scripts, or running a remote command.

Threat

Some of the popular vulnerabilities have been:

::$DATA IIS Vulnerability

Microsoft's Internet Information Server (IIS) contained a vulnerability in how it handles the multiple data streams NTFS provides for each file. The $DATA vulnerability, published in mid-1998, resulted from an error in the way the Internet Information Server parsed file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it was possible to use IIS to access this data stream from a browser.

By doing so the attacker could display the code of the file containing that data stream and any data that the file held. This method could be used to display a script-mapped file that could normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. By appending the string ::$DATA, a remote user could view the contents of a file that is normally set to be acted upon by an Application Mapping, such as Active Server Pages (ASP). The attacker, however, must previously have read access to this file to view its contents. This attack could allow a user to read potentially proprietary and compromising script source. This vulnerability affected Microsoft IIS versions earlier than 3.0.

Showcode.asp

Showcode.asp is a script that allows a web developer to easily view the code for a number of examples included with Internet Information Server. It comes under several different guises, including showcode.asp, viewcode.asp, and codebrws.asp among others. Essentially it lets the developer view the code of a server-side script without executing it. The problem is that it does not just stop at that because with some manipulation of the URL it lets an attacker view any file on the same drive as the script. With a little playing around one can easily compromise an entire server and any sensitive information it contains.

Showcode.asp is included as an example with the Microsoft Data Access Components that are installed with a number of products or that can be installed individually. The default install location is C:\Program Files \Common Files \SYSTEM\MSADC. In a web server, that subdirectory is also mapped as a virtual directory named MSADC off the web root.

Showcode.asp takes a single argument indicating the name of the file that is to be viewed. Though the sample code was initially intended to view code samples in the MSADC directory, a malicious user can start prodding by taking a path with MSADC and then use directory traversal to move up the directory tree and on to any path on the same drive. The vulnerability occurred because the sample script failed to check for that double-dot in the script's argument thereby making it exploitable.

Piggy-backing privileged command execution on back-end database queries (MDAC/RDS)

MDAC is a package used to integrate Web and database services. It includes the RDS component that provides remote access to database objects through IIS. By exploiting vulnerabilities in RDS depending on the security posture of the website, attackers can send random SQL commands that manipulate the database or retrieve any desired information. In this specific case, the attacker can even gain administrative rights by embedding the shell () VBA command into the SQL command and execute any highly privileged system commands.

Buffer Overflow Vulnerabilities

A buffer is an area of memory within a program that has used to store data of some kind - for instance, information on the program's status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data.

Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it's running. If the data that overruns the buffer is random data, it won't be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function - one chosen by whoever supplied the data. Practically exploitable remote buffer overflows on Windows are rare, but on IIS, the exploit scene is different. The first was the .htr buffer overflow exploit against IIS 4, discovered by eEye Digital Security in June 1999. On IIS, the severity of buffer overflows are high because IIS runs under the SYSTEM account context, buffer overflow exploits often allow arbitrary commands to be run as SYSTEM on the target system.

Some of the buffer overflows that have been seen are:

  • Internet Printing Protocol (IPP) buffer overflow

  • Indexing services ISAPI extension buffer overflow

  • Code Red Worm

  • FrontPage 2000 server extension buffer overflow

---Regards,
Amarjit Singh
---Regards, Amarjit Singh

Apache Vulnerability

Posted: 14 Aug 2009 08:32 AM PDT

Apache Vulnerability

  • The Apache Week tracks the vulnerabilities in Apache Server. Even Apache has its share of bugs and fixes.

  • For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20.

    • Long URLs passing through the mod_negative, mod_dir and mode_autoindex modules could cause Apache to list directory contents.

    • The concept is simple but requires a few trial runs.

    • A URL with a large number of trailing slashes:

      • /cgi-bin /////////////////////////// / could produce directory listing of the original directory.

The purpose of discussing the various vulnerabilities of the web server here is to highlight how ingenious attackers can be in exploring the functionality of the various components that they are able to elicit an unexpected and previously unknown behavior of a piece of code. No matter how insignificant it is, a security breach can have far reaching implications if left unattended.

This is not the only issue in focus. The possibility of eliminating flawed coding practices and incorporating proper testing must not be ignored as security measures.

The Apache Week tracks the vulnerabilities in Apache Server. For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20. Because of this, a client submitting a very long URI could cause a directory listing to be returned rather than the default index page. This was subsequently fixed in Apache httpd 1.3.22

Threat

Some of the other vulnerabilities have been:

Remote DoS via IPv6: When a client requests that proxy ftp connect to an ftp server with IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs causing a remote Denial of Service. This has been fixed in Apache httpd 2.0.47

Remote DoS with multiple Listen directives: In a server with multiple listening sockets a certain error returned by accept () on a rarely access port can cause a temporary denial of service, due to a bug in the prefork MPM. This has been fixed in Apache httpd 2.0.47

APR remote crash: A vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors. This has been fixed in Apache httpd 2.0.46

Basic Authentication DoS: A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used. This has been fixed in Apache httpd 2.0.46

Line feed memory leak DoS: Apache 2.0 versions before Apache 2.0.45 have a significant Denial of Service vulnerability. Remote attackers can cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. This has been fixed in Apache httpd 2.0.45

MSDOS device names cause DoS: Apache versions before 2.0.44 on Windows do not correctly filter MS-DOS device names which can lead to denial of service attacks and remote code execution. This has been fixed in Apache httpd 2.0.44

Apache can serve unexpected files: On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL. This has been fixed in Apache httpd 2.0.44

Rewrite rules that include references allow access to any file: The Rewrite module, mod_rewrite, can allow access to any file on the web server. The vulnerability occurs only with certain specific cases of using regular expression references in Rewrite Rule directives: If the destination of a Rewrite Rule contains regular expression references then an attacker will be able to access any file on the server. This has been fixed in Apache httpd 1.3.14

---Regards,
Amarjit Singh
---Regards, Amarjit Singh

Popular Web Servers : Hacking Web Servers Part - 3

Posted: 14 Aug 2009 08:16 AM PDT

The popular web servers are Apache Web Server, Internet Information Server and Sun ONE Web Server.

The Apache Web Server is an open-source web server for modern operating systems including UNIX and Windows NT. The server provides HTTP services in sync with the current HTTP standards in an efficient and extensible environment.

The Java Web Server / Sun ONE Web Server is one of the other highly available Web servers on the market. Microsoft's Internet Information Server is another popular server used by a sizable percentage of websites.

Threat

Common Security Risks

Let us take a look at some of the security concerns that arise in the context of web servers. There are inherent security risks that affect web servers, the local area networks that host these web sites, and perhaps even the normal users of web browsers.


Webmaster's Concern

From a webmaster's perspective, the biggest security concern is that the web server can expose the local are network or the corporate intranet to the threats posed by the Internet. This may be in the form of virus, Trojans, hackers or compromise of information itself. It is often considered that software bugs present in large complex programs are the source of imminent security lapses. Web servers, being large complex devices do come with these inherent risks. Apart from this, the open architecture of some Web servers allows arbitrary scripts to be executed on the server's side of the connection in response to remote requests. Any CGI script installed at the site may contain bugs that are potential security holes.

Network Administrator's Concern

From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web site is to provide controlled access to the network, too much of control can make a Web site impossible to use. In an intranet environment, the network administrator has to careful about configuring the web server such that legitimate users are recognized and authenticated and various groups of users assigned distinct access privileges.

End User's Concern

Usually the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, makes it possible for harmful applications such as viruses to invade the user's system. Besides, active content from a web browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.

The threat for the end user stems from the fact that the TCP/IP protocol was not designed with security as its foremost priority. Therefore, data can be compromised in terms of confidentiality, authentication, and integrity as it is transmitted across the Web. In essence the aspects of confidentiality, authentication, and integrity need to be guarded both on the client side and server side to the extent possible.

Risks

There are basically three overlapping types of risk:

  1. Bugs /misconfiguration problems in the Web server that allow unauthorized remote users to:

    • Steal classified information.

    • Execute commands on the server host machine and modifying the system.

    • Retrieve host based information to assist them in compromising the system.

    • Launch denial-of-service attacks, rendering the machine temporarily unusable.

  2. Browser-side risks

    • Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates a disturbance.

    • The misuse of personal information provided by the end-user.

  3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:

    • The network on the browser's side of the connection.

    • The network on the server's side of the connection (including intranets).

    • The end-user's Internet service provider (ISP).

    • The server's ISP or regional access provider.

---Regards,
Amarjit Singh
---Regards, Amarjit Singh

How Web Servers Work : Hacking Web Servers Part - 2

Posted: 14 Aug 2009 08:14 AM PDT

  • The browser breaks the URL into three parts:

    1. The protocol ("http")

    2. The server name ("www.website.com")

    3. The file name ("webpage.html")

  • The browser communicates with a name server, which translates the server name, www.website.com, into an IP address

  • The browser then forms a connection to the Web server at that IP address on port 80.

  • Following the HTTP protocol, the browser sends a GET request to the server, asking for the file http://webpage.html.

  • The server sends the HTML text for the Web page to the browser.

  • The browser reads the HTML tags and formats the page onto the screen.

Let us take a look at the basic working of a web server. What happens when you type http://www.eccouncil.org/Certification.htm in your browser?

  • The browser differentiates the URL into three parts:

    1. The protocol ("http")

    2. The server name (www.eccouncil.com)

    3. The file name ("Certification.htm")

  • The browser initiates the connection by communicating with a name server to translate the server name www.eccouncil.com into a valid IP Address.

  • It then uses this IP address to connect to the target web server machine.

  • The browser then establishes a connection to the web server at the specific IP address on port 80. This is the default port. (It can be any other port as well)

  • According to the HTTP protocol, the browser sends a GET request to the server, to retrieve the file "http://www.eccouncil.org/certification.htm"

  • The web server then sends the HTML text for the particular Web page to the browser.

  • The browser reads the HTML tags and formats the page on the user's screen.

Other HTTP methods like POST, PUT, are used in subsequent communications if needed. The response from the server includes the HTTP response code suitable for the result of the request. In the case of successful data retrieval, an HTTP 200 OK response is generated. Other HTTP response codes exist: common ones include 404 Not Found, 403 Access Denied, and 302 Object Moved (often used to redirect requests to a login page to authenticate a user).

Popular Web Servers and Common Security Threats

  • Apache Web Server

  • IIS Web Server

  • Sun ONE Web Server

  • Nature of Security Threats in a Web Server Environment.

    • Bugs or Web Server Misconfiguration.

    • Browser-Side or Client Side Risks.

    • Sniffing

    • Denial of Service Attack.

---Regards,
Amarjit Singh
---Regards, Amarjit Singh

Hacking Web Servers Part - 1

Posted: 14 Aug 2009 08:13 AM PDT

The Internet is probably where security or the lack of it is seen the most. Often, a breach in security causes more damage in terms of goodwill than the actual quantifiable loss. This makes the security of web servers assume critical importance. Most organizations consider their Internet presence as an extension of themselves. In this module, we will explore:

  • The basic function of a web server

  • Popular web servers and common vulnerabilities

  • Apache Web Server and known vulnerabilities

  • IIS Server vulnerabilities

  • Attacks against web servers

  • Tools used in Attack against web servers

  • Countermeasures that can be adopted

This module attempts to highlight the various security concerns in the context of a web server. Readers are encouraged to supplement this module by following vulnerability discussions on various mailing lists such as bugtraq and security bulletins issued by third party vendors for various integrated components.

---Regards,
Amarjit Singh
---Regards, Amarjit Singh

Protecting against Session Hijacking

Posted: 14 Aug 2009 08:10 AM PDT

  1. Use Encryption

  2. Use a secure protocol

  3. Limit incoming connections

  4. Minimize remote access

  5. Have strong authentication.

Countermeasure

When practical, limit successful sessions to specific IP addresses. This usually only works when dealing within an intranet setting, where the IP ranges are predictable and finite.

Countermeasure

Re-authenticate the user before critical actions are performed. If possible, try to limit unique session tokens to each browser instance (e.g. generate the token with a hash of the MAC address of the computer and process id of the browser, etc.) Configure the appropriate spoof rules on gateways (internal and external). Monitor for ARP cache poisoning, by using IDS products or ARPwatch.

Countermeasure

Use x.509 certificates to prevent more traditional types of TCP hijacking.

Countermeasure

Use encryption. This can be done by one or more of the following.

  • Forcing all incoming connections from the outside world to be fully encrypted.

  • Forcing all connections to critical machines to be fully encrypted.

  • Forcing all traffic on the network to be encrypted.

  • Using encrypted protocols, like those found in the OpenSSH suite. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server.

Countermeasure

Use strong authentication (like Kerberos) or peer-to-peer VPN's.


---Regards,
Amarjit Singh
---Regards, Amarjit Singh

Remote TCP Session Reset Utility

Posted: 14 Aug 2009 08:09 AM PDT


This security tool can remotely display all active sessions on a terminal server, router, dial-in server, access server, etc. The user can reset any TCP session remotely.

Resetting a connection is simple.

  1. Start up the remote TCP session reset

  2. Enter the IP address of the machine whose connection is to be reset.

  3. Enter the read-write community string.

  4. Click on connect to retrieve a list of active TCP connections

  5. Click on the connection that is to be disconnected, and select 'Break' from the toolbar.


---Regards,
Amarjit Singh
---Regards, Amarjit Singh
You are subscribed to email updates from Learn Ethical Hacking & Get free hacking tools and softwares
To stop receiving these emails, you may unsubscribe now.		 Email delivery powered by Google
Google Inc., 20 West Kinzie, Chicago IL USA 60610
Reply all
Reply to author
Forward
0 new messages