Apache Security - Ivan Ristic [170]
(The 1644 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
8080/tcp open http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 157.022 seconds
You can go further if you use Nmap with a -sV switch, in which case it will connect to the ports you specify and attempt to identify the services running on them. In the following example, you can see the results of service analysis when I run Nmap against ports 21, 80, and 8080. It uses the Server header field to identify web servers, which is the reason it incorrectly identified the Apache running on port 80 as a Microsoft Internet Information Server. (I configured my server with a fake server name, as described in Chapter 2, where HTTP fingerprinting for discovering real web server identities is discussed.)
# nmap -sV
XXX.XXX.XXX.XXX
-P0 -p 21,80,8080
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
Interesting ports on XXX.XXX.XXX.XXX:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.2.9
80/tcp open http Microsoft IIS webserver 5.0
8080/tcp open http Apache httpd 2.0.49 ((Unix) DAV/2 PHP/4.3.4)
Nmap run completed -- 1 IP address (1 host up) scanned in 22.065 seconds
* * *
Tip
Another well-known tool for service identification is Amap (http://www.thc.org/releases.php). Try it if Nmap does not come back with satisfactory results.
* * *
Scanning results will usually fall into one of three categories:
No firewall
Where there is no firewall in place, you will often find many unrestricted services running on the server. This indicates a server that is not taken care of properly. This is the case with many managed dedicated servers.
Limited firewall
A moderate-strength firewall is in place, allowing access to public services (e.g., http) but protecting private services (e.g., ssh). This often means whoever maintains the server communicates with the server from a static IP address. This type of firewall uses an "allow by default, deny what is sensitive" approach.
Tight firewall
In addition to protecting nonpublic services, a tight firewall configuration will restrict ICMP (ping) traffic, restrict outbound traffic, and only accept related incoming traffic. This type of firewall uses a "deny by default, allow what is acceptable" approach.
If scan results fall into the first or the second category, the server is probably not being closely monitored. The third option shows the presence of people who know what they are doing; additional security measures may be in place.
Web Server Analysis
This is where the real fun begins. At a minimum, you need the following tools:
A browser to access the web server
A way to construct and send custom requests, possibly through SSL
A web security assessment proxy to monitor and change traffic
Optionally, you may choose to perform an assessment through one or more open proxies (by chaining). This makes the test more realistic, but it may disclose sensitive information to others (whoever controls the proxy), so be careful.
* * *
Tip
If you do choose to go with a proxy, note that special page objects such as Flash animations and Java applets often choose to communicate directly with the server, thus revealing your real IP address.
* * *
We will take these steps:
Test SSL.
Identify the web server.
Identify the application server.
Examine default locations.
Probe for common configuration problems.
Examine responses to exceptions.
Probe for known vulnerabilities.
Enumerate applications.
Testing SSL
I have put SSL tests first because, logically, SSL is the first layer of security you encounter. Also, in some rare cases you will encounter a target that requires use of a privately issued client certificate. In such cases, you are unlikely to progress