for this tutorial I use some of the tools used most often for pentesting web server and web application; open source tools like Telnet, HTTPrint, Nikto, and Nessus, I will be using this tools to perform: Information Gathering, Scanning, Command Execution Attacks.
A Short Review First…
Pentesting web servers and web applications over the internet has grown over the past few years, chances are that when you are on a server on the internet you are using Hyper Text Transfer Protocol (HTTP), and that 70 percent of the servers visible on the internet today are web servers with tons of services been added on top of HTTP. The web server market has filter down to two mayor players: Apache’s Hyper Text Transfer Protocol Daemon (HTTPD), and Microsoft Internet Information Server (IIS), this two server account for 90 percent of the market share.
Web Server/Application Testing:
Essentially, you can test web server vulnerabilities in different scenarios.
1. Information Gathering
3. Command Execution Attacks
4. File System and Directory Traversal Attacks
5. Database Query Injection (SQL Injection)
6. Cross Site Scripting Attacks (XSS)
7. Parameter Parsing Attacks
Since I’ll just be covering the first 4 and the first two are pretty obvious, I will continue with 3 and 4…
3. Command Executing Attacks: These sort of attacks can be leveraged when the web server uses user input as part of a command that is executed. An application that allows you to ping a host using CGI http://victim/cgi-bin/ping?ip=10.10.10.1 is clearly running the ping command in the backend using our input as an argument. The idea as an attacker would be to attemp to chain two commands together. A reasonable test would be to try http://victim/cgi-bin/ping?ip=10.10.10.1;whoami, if successful this would run the ping command and the whoami command on the victim server
4. File System and Directory Traversal Attacks: These sort of attacks are used when the web application is seen accessing the file system based on user-submitted input. A CGI that displayed the contents of a file called payroll.txt with a URL http://victim/cgi-bin/diplayFile?name=payroll is clearly making a file system call based on our input.
The Tools in Action…
1. Intelligence Gathering:
When facing a web server the first tool you can use to determine basic web server information is the Telnet utility. HTTP is not a binary protocao, which means that we can talk to HTTP using standerd text to determine the running version of a web server, you can issue the HEAD request to a server as shown in the next figure…
Although this is a very simple way to detect the server, administrators quickly caught up with this and started to change or remove the service banner that identifies the type of web server running, that is why we should not always go by the server string type in the response as this one can be customized, or dificult to identify, to demostrate take a look at this nmap scan and how it fails to identify a web server whos service banner has been removed. One way to prevent the version information or service banner in IIS that the server header contains from been displayed, you can install URLScan on the server; complete information and the tool can be found at http://support.microsoft.com/?id=317741.
One way to get around this, is with the Telnet tool in which we issue a GET request for a non existent web page to force the web server to return an error message in the hope that the server’s error message contained the service banner….as shown in the next figure good documentation on banner grabbin technichs can be found at HTTPrint home site. http://www.net-square.com/httprint/httprint_paper.html#bannergrab
httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.t…the httprint-gui application is really easy to use and needs no configuration at all, just enter your target dns or ip address, select the port number usually 80 or 443, and fire away. In the next figure we can see that httprint successfully fingerprints the target web server.
HTTPrint also generate an output file with the result of the test….
During the information gathering phase, the entire target web site is often mirrored. Examining this mirror with its directory structure is ofter revealing to an attacker. Although many tools can do this, I briefly mention lynx because it is installed by default on most Linux distributions and is easy to use…
lynx –crawl –traversal http://victim.com
Nikto: Nikto is one of the most popular web server scanners designed to fingerprint and test web servers for a variety of possible weaknesses including potentially dangerous files and out-of-date versions of applications and libraries. Nikto can make use of the LibWhisker anti-IDS routines developed by Rain Forest Puppy….In the next figure I proceed to scan the server and have the results exported to an html file, also notice the use of the -e switch for IDS evasion
usefull nikto commands:
nikto.pl -v #listing plugins
nikto.pl -update #downloading and installing updates
nikto.pl -h victim -g #the -g flag is telling nikto not to trust the banner send by the server and do full scan
nikto.pl -h victim -p 80,443 -g #the -p flag to scan on ports 80 and 443
nikto.pl -h victim -g -e 6 #using evasion technique 6
In the next video tutorial, I finally use the wonders of Nessus, to scan and detect vulnerabilities on the target web server. In 1998 the Open Source Scanner Nessus was relased by Renaud Deraison, and quickly became the scanner of choice for many pentesters and analyst in general, for the remainder of this web testing tutorial I decided to do a screencast, in which I will demonstrate how to use Nessus to scan a web server and the underlying application for vulnerabilities, and I finish with part 3 (Command Execution Attacks) and 4 (File System and Directory Traversal Attacks) of the Web Server Application testing model explained at the beginning of the page.
So…let’s get hacking!