CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [67]
A web server is available via the Internet 24/7, which makes it a fairly easy attack point on the network. This chapter will discuss types of attacks performed against web servers, as well as web applications and their vulnerabilities.
Hacking Web Servers
As a Certified Ethical Hacker, understanding how web servers are hacked is an important part of your job. This includes knowing their vulnerabilities, as well as understanding the types of attacks-including Internet Information Server (IIS) Unicode exploits-a hacker may use. In addition, you should know when to use patch-management techniques and understand the methods used to harden web servers.
We'll look at all these topics in the following sections.
List the Types of Web Server Vulnerabilities
Web servers, like other systems, can be compromised by a hacker. The following vulnerabilities are most commonly exploited in web servers:
■ Misconfiguration of the web server software
■ Operating system or application bugs, or flaws in programming code
■ Vulnerable default installation of operating system and web server software, and/or lack of patch management to update operating system or web server software
■ Lack of or not following proper security policies and procedures
Hackers exploit these vulnerabilities to gain access to the web server. Because web servers are located in a Demilitarized Zone (DMZ), which is a publicly accessible area between two packet filtering devices, and can be more easily accessed by the organization's client systems, an exploit of a web server offers a hacker easier access to internal systems or databases.
Understand the Attacks against Web Servers
The most visible type of attack against web servers is defacement. Hackers deface websites for sheer joy and an opportunity to enhance their reputations. Defacing a website means the hacker exploits a vulnerability in the operating system or web server software and then alters the website files to show that the site has been hacked. Often the hacker displays their hacker name on the website's home page.
Common website attacks that enable a hacker to deface a website include the following:
■ Capturing administrator credentials through man-in-the-middle attacks
■ Revealing an administrator password through a brute-force attack
■ Using a DNS attack to redirect users to a different web server
■ Compromising an FTP or e-mail server
■ Exploiting web application bugs that result in a vulnerability
■ Misconfiguring web shares
■ Taking advantages of weak permissions
■ Rerouting a client after a firewall or router attack
■ Using SQL injection attacks (if the SQL server and web server are the same system)
■ Using Telnet or Secure Shell (SSH) intrusion
■ Carrying out URL poisoning, which redirects the user to a different URL
■ Using web server extension or remote service intrusion
■ For cookie-enabled security-Intercept the communication between the client and the server and change the cookie to make the server believe that there is a user with higher privileges
Understand IIS Unicode Exploits
Windows 2000 systems running IIS are susceptible to a directory traversal attack, also known as the Unicode exploit. The vulnerability in IIS, which allows for the directory traversal/Unicode exploit, occurs only in unpatched Windows 2000 systems and affects CGI scripts and ISAPI extensions such as ASP. The vulnerability exists because the IIS parser was not properly interpreting unicode, allowing hackers system level access.
Essentially, Unicode converts characters of any language to a universal hex code specification. However, the unicode is interpreted twice, and the parser only scanned the resultant request once (following the first interpretation). Hackers could therefore sneak file requests through ITS.