H a c k i n g W e b s e r v e r s
M o d u l e 1 2
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
H ackin g W ebservers
M o d u le 12
Engineered by Hackers. Presented by Professionals.
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u le 1 2 : H a c k in g W e b s e r v e r s
E x a m 3 1 2 -5 0
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1601
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
GoDaddy O utage Takes Down M illions o f Sites,
Anonym ous M em ber Claims R esponsibility
M on d a y, S e p te m b er 1 0 th, 2 012
Final update: GoDaddy is up, and claims that the outage was due to internal errors
and not a DDoS attack.
According to many customers, sites hosted by major web host and domain registrar
GoDaddy are down. According to the official GoDaddy Twitter account the company is
aware of the issue and is working to resolve it.
Update: customers are complaining that GoDaddy hosted e-mail accounts are down as
well, along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming
responsibility, and makes it clear this is not an Anonymous collective action.
A tipster tells us that the technical reason for the failure is being caused by the
inaccessibility of GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
h ttp://te c h cru n c h .c o m

C o pyrigh t © b y EG-G*ancil. A ll R ights Reserved. R ep rodu ction is S trictly P ro hibite d.
S e c u r i t y N e w s
G o D a d d y O u t a g e T a k e s D o w n M i l l i o n s o f S ite s ,
A n o n y m o u s M e m b e r C l a i m s R e s p o n s i b i l i t y
N n u s
Source:
Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a
DDoS attack.
According to many customers, sites hosted by major web host and dom ain registrar GoDaddy
are down. According to the official GoDaddy T w itter account, the company is aware of the
issue and is w orking to resolve it.
Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well,
along w ith GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A m em ber of Anonymous known as Anonym ousO w n3r is claiming responsibility, and
makes it clear this is not an Anonym ous collective action.
A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of
GoDaddy's DNS servers - specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
and CNS3.SECURESERVER.NET are failing to resolve.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1602
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
Anonym ousO w n3r׳s bio reads "Security leader of #A nonym ous (׳”Official m em be r")." The
individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was
targeted.
Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the
service, and the com pany has been the center of a few other controversies. However,
Anonym ousO w n3r has tweeted "I'm not anti go daddy, you guys will understand because i did
this attack."

Copyright © 2012 AOL Inc.
By Klint Finley
/>Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1603
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
M odule Objectives
C
Urt1fW4
EH
tt*H4i Nath*
J IIS Webserver Architecture
J Countermeasures
J Why Web Servers are Compromised?
J How to Defend Against Web Server
J Impact of Webserver Attacks
Attacks
J Webserver Attacks
J Patch Management
J Webserver Attack Methodology
/L־־
^ J Patch Management Tools
J Webserver Attack Tools
J Webserver Security Tools
J Metasploit Architecture
J Webserver Pen Testing Tools
J Web Password Cracking Tools
J Webserver Pen Testing
C o pyrigh t © by IG -C O H Cil. All Rights Reserved. R ep roduc tio n is S trictly P roh ib ite d.

^ M o d u l e O b j e c t i v e s
• — *> Often, a breach in security causes m ore damage in term s of goodwill than in actual
quantifiable loss. This makes web server security critical to the norm al functioning of an
organization. M ost organizations consider th e ir web presence to be an extension of
them selves. This module attem pts to highlight the various security concerns in the context of
webservers. After finishing this module, you will able to understand a web server and its
architecture, how the attacker hacks it, w hat the different types attacks th at attacker can carry
out on the web servers are, tools used in web server hacking, etc. Exploring web server security
is a vast domain and to delve into the finer details of the discussion is beyond the scope of this
module. This m odule makes you familiarize w ith:
e
IIS Web Server Architecture
e
Countermeasures
e
W hy Web Servers Are Compromised?
e
How to Defend Against Web
e
Impact of Webserver Attacks
Server Attacks
e
Webserver Attacks
e
Patch Managem ent
e
Webserver Attack Methodology
0
Patch Management Tools
Q

Webserver Attack Tools
e
W ebserver Security Tools
e
Metasploit Architecture
e
W ebserver Pen Testing Tools
e
Web Password Cracking Tools
e
W ebserver Pen Testing
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1604
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
CEHM odule Flow
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
M o d u l e F l o w
To understand hacking w eb servers, first you should know w hat a web server is, how
it functions, and what are the other elements associated with it. All these are simply term ed
web server concepts. So first we will discuss about web server concepts.
4 m )
Webserver Concepts Webserver Attacks

Attack Methodology * Webserver Attack Tools
Webserver Pen Testing Webserver Security Tools
y Patch Management
Counter-measures
■ —

■ —
This section gives you brief overview of the w eb server and its architecture. It will also explain
comm on reasons or mistakes made that encourage attackers to hack a web server and become
successful in that. This section also describes the impact of attacks on the web server.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1605
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W eb serv ers
Webserver M arket Shares
I
_____________
I
_____________
I
_____________
I
_____________
I
_____________
I
64.6%
Apache
Microsoft - IIS
LiteSpeed I 1.7%
Google Server | 1.2%
W e b S e r v e r M a r k e t S h a r e s
Source: http://w 3techs.com
The following statistics shows the percentages of websites using various web servers. From the
statistics, it is clear tha t Apache is the most com m o n ly used w eb server, i.e., 64.6%. Below that

M icrosoft ־ IIS server is used by 17.4 % of users.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1606
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
־J

►
80%
64.6%
כ
t
Apache
17.4%
Microsoft ־ IIS
%13
Nginx
LiteSpeed
Google Server
Tomcat
Lighttpd
7050 604010 20 30
FIGURE 12.1: Web Server Market Shares
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1607
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
Open Source Webserver CEH

Architecture
I ©
AttacksSite Admin
r
□
Email
MySQL
i f
C o m p ile d E x te n s io n
Site Users
:1
1 a
Linux
1 I— *־— I

Apache
PHP
File System
ג י ינ י מ ^
י
Applications
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
O p e n S o u r c e W e b S e r v e r A r c h i t e c t u r e
The diagram bellow illustrates the basic com ponents of open source web server
H
architecture.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1608
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res

Hacking W ebservers
Attacks
1
U
Site Admin
׳־
Site Users
&
* A
Internet
Linux
Email
Apache
V
PHP
File System
J F M
f
Compiled Extension
MySQL y
Applications
"־
FIGURE 12.2: Open Source Web Server Architecture
Where,
© Linux - the server's operating system
© Apache - the web server com ponent
© MySQL - a relational database
© PHP - the application layer
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.

M odule 12 Page 1609
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
IIS Web Server Architecture CEH
Internet Information
Services (IIS) for W indows
Server is a flexible, secure,
and easy-to-manage web
server for hosting anything
on the web
HTTP Protocol
Stack (HTTP.SYS)
AppDomain
M a n a g e d
M o d u le s
F o rm s
A u t h e n tic a tio n
Native M odules
A n o n ym o u s
a u th e n tic a tio n ,
m a nag ed e n gin e , IIS
c e rtific a te m a p pin g,
s tatic file , d e fa ult
d o cu m e n t, HTTP cach e,
HTTP er ro rs , an d HTTP
log g in g
Application Pool
Web Server Core
Begin req u es t proce ssing ,
a u the n tic a tio n ,

au th oriza tion , cache
res o lu tion , han d le r
m ap ping, h and ler pre-
ex ecution, release state ,
up da te cache, update
lo g, and end req ues t
processing
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Client
i * a f t p
Kernel Mode
User Mode :■
Svchost.exe +
W ind ow s A ctivation Service
__________
(W AS)
___________
W W W S e rv ic e
External Apps
a p p lic a t io n
H o s t. c o n f ig
IIS Web Server Architecture


3׳
c 3 IIS, also know n as Intern e t Inform ation Service, is a w eb server app lication developed
by M icro soft th a t can be used w ith M icro so ft W indows. This is the second largest w eb after
Apache HTTP server. IT occupies around 17.4% o f the to ta l m arke t share. It supports HTTP,
HTTPS, FTP, FTPS, SMTP, and NNTP.
The diagram th a t fo llow s illustrates the basic com ponents o f IIS w eb server architecture:

Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1610
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
Client
HTTP Protocol
Stack (HTTP.SYSI
Internet
AppDomain
Managed
Modules
Forms
Authentication
Native M odules
A n o n y m o u s
a u th e n tic a tio n ,
M a n ag ed e n gin e , IIS
c e rtific a te m a p p in g ,
s ta tic file , d e fa u lt
d o c u m e n t, HTTP ca c he,
HTTP e rro rs , a n d HTTP
lo g g ing
Kernel Mode
Application Pool
Web Server Core
Be gin re q u e s tp ro ce ss in g /
a u th e n tic a tio n ,
a u th o riz a tio n , cach e
re so lu tio n , h a n dle r

m a p p ing , h a n d le r pre *
e x e c u tio n , re le as e sta te ,
u p d a te cac he , u p da te
log, a n d e n d re q u e s t
p ro ce s sin g
User Mode
Svchost.exe
W ind o w s A ctiva tio n Se rvice
(W A S)
WWW Service
application
Host.config
FIGURE 12.3: IIS Web Server Architecture
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved, Reproduction is Strictly Prohibited.
M odule 12 Page 1611
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W eb serv ers
CEH
Website Defacement
Fie Mlז few Hep
* * W © h ttp :/ /ju g g y b o y . c o m /in d e x .a s p x v ד ^ •j_> ־ f f
Y o u a r e O W N E D ! ! ! ! ! ! !
HACKED!
Hi Master, Your website owned
by US, Hacker!
Next target - microsoft.com
J Web defacement occurs when
an intruder maliciously alters
visual appearance of a web

page by inserting or
substituting provocative and
frequently offending data
J Defaced pages exposes visitors
to some propaganda or
misleading information until
the unauthorized change is
discovered and corrected
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion Is Stric tly P ro hibited.
Website Defacement
W ebsite defacem ent is a process of changing the con te n t o f a w eb site or web page
by hackers. Hackers break in to th e w eb servers and w ill a lter the hosted w ebsite by creating
som ething new.
W eb defacem en t occurs w hen an in tru d e r m aliciously alters th e visual appearance o f a web
page by inserting or substitu ting provocative and fre q u e n tly offensive data. Defaced pages
expose visitors to propaganda or m isleading inform a tio n un til th e unauthorized change is
discovered and corrected.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1612
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
B O ®
World Wide Web
File Edit View Help
יי,
FIGURE 12.4: W ebsite Defacement
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1613

Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
U n n e c e s s a ry d e fa u lt , b a c k u p , o r
s a m p le file s
In s t a llin g th e s e r v e r w it h d e fa u lt
s e ttin g s
Im p r o p e r f ile a nd
d ir e c to r y p e r m is s io n s
S e c u rity c o n f lic t s w i t h b u s in e s s e a s e -o f-
u se c as e
D e fa u lt a c c o u n ts w it h th e i r d e fa u lt o r n o
p a s s w o rd s
M is c o n f ig u ra t io n s in w e b s erv e r , o p e ra tin g s y ste m s ,
a n d n e tw o r k s
S e c u rity f la w s in th e s e r v e r s o ft w a r e , O S a n d
a p p lic a tio n s
L ac k o f p ro p e r s e c u r ity p o lic y , p ro c e d u re s , a n d
m a in te n a n c e
M is c o n fig u r e d SSL c e rtif ic a te s a n d e n c ry p tio n
s e ttin g s
B u g s in s e r v e r s o f tw a r e , O S , a n d
w e b a p p lic a tio n s
Im p r o p e r a u th e n t ic a ti o n w i th e x te rn a l
s y s te m s
U s e o f s e lf-s ig n e d c e rt ific a te s a n d
d e fa u lt c e r tif ic a t e s
U n n e c e s s a ry s e rv ic e s e n a b le d , in c lu d in g c o n te n t
m a n a g e m e n t a n d re m o te a d m in is tr a tio n
A d m in is tr a tiv e o r d e b u g g in g f u n c tio n s t h a t a re
e n a b le d o r a c c e ss ib le

C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Why Web Servers Are Compromised
There are inheren t security risks associated w ith web servers, the local area netw orks
th a t host web sites and users w ho access these w ebsites using browsers.
0 W ebm aste r's C oncern: From a w ebm aster's perspective, the biggest security concern is
th a t the web server can expose the local area n etw o rk (LAN) or the corporate intran e t
to th e threats the Intern et poses. This may be in the form of viruses, Trojans, attackers,
or the com prom ise of inform a tion itself. Softw are bugs present in large com plex
programs are ofte n considered the source o f im m inen t security lapses. However, web
servers th a t are large com plex devices and also come w ith these inhe rent risks. In
additio n , the open architecture o f the w eb servers allows a rb itra ry scripts to run on the
server side w hile replying to the rem ote requests. Any CGI script installed at the site
may contain bugs th at are p o tentia l security holes.
Q N e tw ork A d m in is tra to r's Concern: From a n e tw ork adm inis trator's perspective, a
poorly configured web server poses anoth er pote ntial hole in the local netw ork's
security. W hile the objective o f a web is to provide co n trolled access to th e n e tw o rk, to o
much of co ntro l can make a web alm ost impossible to use. In an intra ne t environm en t,
th e n etw o rk a dm in istra to r has to be careful about configuring the w eb server, so th a t
th e le g itim ate users are recognized and au then ticated, and various groups of users
assigned distinct access privileges.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1614
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
6 End User's Concern: Usually, the end user does not perceive any im m ediate threa t, as
surfing th e w eb appears both safe and anonymous. However, active conte n t, such as
ActiveX controls and Java applets, m ake it possible fo r harm ful applications, such as
viruses, to invade the user's system . Besides, active c o ntent from a website brow ser can
be a co n du it fo r malicious so ftw are to bypass th e fire w a ll system and perm eate the

local area netw ork.
The table th a t follow s shows the causes and consequences of w eb server com prom ises:
C a u s e C o n se q u e n c e
In s ta llin g t h e s e rv e r w i t h d e fa u lt
s e ttin g s
Unnecessary default, backup, or sample files
I m p r o p e r file a n d d ir e c to r y p e r m is s io n s Security conflicts w ith business ease-of-use
case
D e fa u lt a c c o u n t s w i t h t h e ir d e f a u lt
p a s s w o rd s
M isconfigurations in w eb server, operating
systems and netw orks
U n p a t c h e d s e c u rity f la w s in t h e s e rv e r
s o ft w a r e , O S, a n d a p p lic a tio n s
Lack o f pro per security policy, procedures,
and maintenance
M is c o n fig u r e d SSL c e rtif ic a t e s a n d
e n c ry p tio n s e ttin g s
Bugs in server softw are, OS, and web
applications
U s e o f s e lf-s ig n e d c e rtif ic a t e s a n d
d e f a u lt c e r tific a te s
Im proper authen tication w ith external
systems
U n n e c e s s a r y s e rv ic e s e n a b le d , in c lu d in g
c o n t e n t m a n a g e m e n t a n d r e m o t e
a d m in is tr a ti o n
A dm inistra tive or debugging fu n c tion s th a t
are enabled or accessible
TABBLE 12.1: causes and consequences of web server compromises

Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1615
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
Impact of Webserver Attacks CEH
C«rt1fW4 I til 1(41 Nm Im
Website defacement
Root access to other
applications or servers
©
Data tampering
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Impact of Web Server Attacks
Attackers can cause various kinds o f damage to an organization by attacking a web
server. The dam age includes:
© Com prom ise o f user accounts: W eb server attacks are m ostly concentrated on user
account com prom ise. If th e attacker is able to com prom ise a user account, th en the
attacker can gain a lot o f useful inform ation . A ttacker can use the com prom ised user
account to launch fu rth e r attacks on the w eb server.
Q Data tam p e ring : A ttacker can alter or delete the data. He or she can even replace th e
data w ith m alw are so th a t w hoever connects to the web server also becom es
com prom ised.
0 W ebsite de facem ent: Hackers co m pletely change the ou tloo k of the w ebsite by
replacing the original data. They change the w ebsite look by changing th e visuals and
displaying d iffe re n t pages w ith the messages o f th e ir ow n.
© Secondary attacks fro m the w e b site : Once the attacker com prom ises a web server, he
or she can use the server to launch fu rth er attacks on various websites or clie n t systems.
0 Data th e ft: Data is one of the main assets o f the com pany. Attackers can get access to
sensitive data o f the com pany like source code o f a p a rticula r program .

Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1616
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
0 Root access to o th e r applica tio ns or server: Root access is the highest privilege one gets
to log in to a netw ork, be it a dedicated server, sem i-dedicated, or virtual priva te server.
Attackers can pe rform any action once they get ro o t access to th e source.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1617
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
CEHM odule Flow
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Module Flow
Considering th a t you becam e fa m ilia r w ith th e w eb server concepts, w e m ove fo rw ard
to the possible attacks on web server. Each and every action on online is perform e d w ith the
help of w eb server. Hence, it is considered as th e critical source o f an organization. This is the
same reason fo r which attackers are targe ting w eb server. There are many attack technique
used by the attacker to com prom ise web server. N ow w e w ill discuss abo u t those attack
techniques.
attack, HTTP response splitting attack, w eb cache poisoning attack, http response hijacking,
w eb a pplication attacks, etc.
W e b s e rv e r C on cepts W e b s e rv e r A tta c ks
^ A tta c k M e th o d o lo g y ^ W e b s e rv e r A tta c k T oo ls
W e b s e rv e r Pen T e sting J 3 W e b s e rv e r S e curity To ols
- y Patch M a n a g e m e n t
C o u n ter-m ea s ure s
■ —

■ —
M odule 12 Page 1618 Ethical Hacking an d C ou nterm easu res Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
H a c k in g W e b s e r v e r s
Web Server Misconfiguration CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be
exploited to launch various attacks on web servers such as directory traversal, server intrusion,
and data theft
Remote Administration
Functions
Unnecessary Services
Enabled
Verbose debug/error
Anonymous or Default
Users/Passwords
Misconfigured/Default
SSL Certificates
Sample Configuration,
and Script Files
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Web Server Misconfiguration
W e b se rv e rs ha v e v a r io u s v u ln e ra b ilitie s re la te d t o c o n f ig u r a t io n , a p p lic a tio n s , file s ,
s crip ts , o r w e b p a ges. O n c e th e s e v u ln e ra b ilitie s a re fo u n d b y th e a tta c k e r , lik e r e m o te
a cc e ssing th e a p p lic a tio n , th e n th e s e b e c o m e th e d o o r w a y s f o r th e a tt a c k e r t o e n te r in t o th e
n e t w o r k o f a c o m p a n y . T h e s e lo o p h o le s o f th e s e rv e r ca n h e lp a tta c k e r s t o b y p a ss u ser
a u th e n tic a tio n . S e rv e r m is c o n fi g u ra tio n re fe r s t o c o n fig u r a tio n w e a k n e s s e s in w e b
in fr a s t r u c t u re t h a t ca n be e x p lo ite d to la u n c h va r io u s a tta c k s o n w e b s e rv e rs su ch as d ir e c t o r y
tra v e rs a l, s e rv e r in tr u s io n , a n d d a ta t h e f t. O n c e d e te c te d , th e s e p r o b le m s c an b e e a sily
e x p lo ite d a n d re s u lt in th e to ta l c o m p ro m is e o f a w e b s ite .

© R e m o te a d m in is t ra tio n fu n c t io n s ca n b e a s o u rc e f o r b re a k in g d o w n th e se rv e r f o r th e
a tta c k e r.
© S om e u n n e c e s s a ry serv ic e s e n a b le d a re a lso v u ln e ra b le to h a c kin g .
0 M is c o n f ig u r e d / d e fa u lt SSL c e rtific a te s .
© V e r b o s e d e b u g /e r r o r m e s s a g e s .
© A n o n y m o u s o r d e fa u lt u s e r s /p a s s w o rd s .
© S a m p le c o n f ig u r a tio n a n d s c r ip t file s .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e 1 2 Page 1619
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
H a c k in g W e b s e r v e r s
CEH
Web Server Misconfiguration
Example
httpd.conf file on an Apache server
< L o catio n /s e r v e r - s t a tu s >
S etH a n d le r s e r v e r - s ta tu s
< /L oca tio n >
This configuration allows anyone to view the server status page, which contains detailed information about
the current use of the web server, including inform ation about the current hosts and requests being processed
php.ini file
d is p l a y _ e r r o r = On
lo g _ e r ro r s = On
e r r o r _ lo g = sy s lo g
ig n o r e r e p e a te d e r r o r s = O ff
This configuration gives verbose error messages
C o pyrigh t © b y EG -G tlincil. All Rights R eserved. R e pro du ctio n is S tric tly P ro hibited.
f I Web Server Misconfiguration Example
ran n ■

L 1 : J C o n s id e r th e h t tp d .c o n f file o n an A p a c h e s e rv e r.
< L o c a tio n / s e r v e r - s ta t u s >
S e tH a n d le r s e r v e r - s t a t u s
< / L o c a tio n >
FIGURE 12.5: httpd.conf file on an Apache server
T his c o n fig u r a tio n a llo w s a n y o n e to v ie w th e s e rv e r s ta tu s p a g e th a t c o n ta in s d e ta ile d
in fo r m a tio n a b o u t th e c u rr e n t use o f t h e w e b se rve r, in c lu d in g in fo r m a t io n a b o u t t h e c u r re n t
h o s ts a n d re q u e s ts be in g pro c e s se d .
C o n s id e r a n o th e r e x a m p le , th e p h p .in i file .
d i s p la y _ e r r o r = On
l o g _ e r r o r s - On
e r r o r _ l o g = s y s l o g
i g n o r e r e p e a t e d e r r o r s = O ff
FIGURE 12.6: php.inifile on an Apache server
T h is c o n f ig u r a tio n g ives v e rb o s e e rr o r m e ss a g es.
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e 1 2 Page 1620
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
3 j My Computer
+1 £ 3Vb floppy (A:)
/ י Local Disk ((
I B Ctocumcnte and Scttngs
! H t J Inetpub
Volume in drive C has no label.
Volume Serial Number is D45E-9FEE
/>cripts/ %5c /Wind
0ws/System32/cm
d.exe?/c+dir+c:\

C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Directory Traversal Attacks
W e b s e rv e r s are d e s ig n e d in s u ch a w a y th a t th e p u b lic a cce ss is lim ite d to so m e
e x te n t. D ir e c t o r y tr a v e r s a l is e x p lo it a tio n o f H T T P th ro u g h w h ic h a tta c k e r s a re a b le to ac cess
re s tr ic te d d ir e c to r ie s a n d e x e cu te c o m m a n d s o u ts id e o f th e w e b s e rv e r ro o t d i re c t o r y b y
m a n ip u la tin g a URL. A tta c k e r s c an u se th e tria l-a n d -e rro r m e t h o d to n a v ig a te o u ts id e o f th e
r o o t d i re c t o r y a n d a ccess s e n s itiv e in fo r m a tio n in th e s y s te m .
E Q-j !v ! v !T ffx l
company
downloads ו 1
E O images
O news
□ scripts
CJ support
V olu m e in drive C has no label.
V olu m e Serial N um be r is D45E-9FEE
1,024 .rnd
0 123. text
0 AUTOEXEC.BAT
<DIR> CATALINA_HOME
0 CONFIG.SYS
<DIR> D ocuments and Settings
<DIR> D ownloads
<DIR> Intel
<DIR> Program Files
<DIR> Snort
<DIR> WINDOWS
569,344 W lnDum p.exe
368 bytes
,115,200 bytes free

Directo ry o f C :\
06 /02 /2 01 0 11:3 1AM
09 /28 /2 01 0 06:43 PM
05 /21 /2 01 0 03:10 PM
09 /27 /2 01 0 08:54 PM
05 /21 /2 01 0 03:10 PM
08/1 1/20 10 09:16 AM
09 /25 /2 01 0 05:25 PM
08/0 7/20 10 03:38 PM
09/2 7/20 10 09:36 PM
05 /26 /2 01 0 02:36 AM
09 /28 /2 01 0 09:50 AM
09 /25 /2 01 0 02:03 PM
7 File(s) 570,
13 Dir(s) 13,432
h ttp ://se rv e r.e o m /s
crip ts / % 5c /W in d
0 w s /S ys te m 3 2 /c m
d.exe? /c+ dir+c:\
FIGURE 12.7: D irectory T raversal A ttacks
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1621
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
HTTP Response Splitting Attack CEH
(•rt1fw< itkNjI NmIm
Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason

Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
F irs t R es po nse (C o n tro lle d b y A tta ck e r)
Set-Cookle: author=JasonTheHacker
HTTP/1.1200 OK
Se co nd R esp on se
HTTP/1.1 200 OK
y
HTTP response splitting attack involves adding
header response data into the input field so
that the server split the response into two
responses
The attacker can control the first response to
redirect user to a malicious website whereas
the other responses will be discarded by web
browser
S tr in g a u th o r =
r e q u e s t. getParameter(AUTHOR_PA
RAM) ;
C ookie co o k ie = new
C o o k ie ( " a u th o r״ , a u th o r ) ;
c o o k ie . setM a x A ge(cookieE x pirat
io n ) ;
re s p o n se . add C o o k ie (c o o k ie );
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
HTTP Response Splitting Attack
An HTTP response attack is a web-based attack w here a server is tricked by injecting
new lines into response headers along w ith a rb itra ry code. Cross-Site S cripting (XSS), Cross Site
Request Forgery (CSRF), and SQL In jectio n are some o f the exam ples fo r this type of attacks.
The attacker alters a single request to appear and be processed by th e web server as tw o
requests. The w eb server in tu rn responds to each request. This is accom plished by adding

header response data into the inpu t field . An attacker passes malicious data to a vulnerable
application, and the application includes the data in an HTTP response header. The a tta cker can
contro l the first response to redirect th e user to a m alicious website, w hereas th e other
responses w ill be discarded by w e b brow ser.
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1622
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W ebservers
Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
F irs t R esp onse (C o n tro lle d by A tta ck e r)
Set-Cookie; author=JasonTheHacker
HTTP/1.1 200 OK
Se co nd R espon se
HTTP/1.1200 OK
S trin g au th o r =
r e q u e s t.getParameter(AUTHOR_PA
RAM) ;
Cookie co okie = new
C o o k ie( " a u th o r", a u th o r) ;
c o o k ie . setM axA ge(cookieE x p irat
ion ) ;
res p o n s e . a d d C o o k ie (co o k ie);
o
Si
05
CO

FIGURE 12.8: HTTP Response Splitting Attack
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1623
Exam 312-50 Certified Ethical HackerEthical Hacking and C ounterm easu res
Hacking W e b s e r v e r s
Web Cache Poisoning Attack CEH
h ttp ://w w w .ju g g yb o y .c o m /w e l
come.php?lan g=
<?php head er ("L oc a tion :" .
$_GET['page']); ?>
An attacker forces the
web server's cache to
flush its actual cache
content and sends a
specially crafted
request, which will be
stored in cache
Original Juggyboy page
Attacker sends request to remove page fro m cache
Normal response after
clearing the cache fo r juggyboy.com
Attacker sends malicious request
that generates tw o responses (4 and 6)
Attacker gets first server response
A tta ck er reque sts d ju ggyb oy.com
again t o gen erate cache en try
The second
response of
request [3

that points to
I attacker's page
Attacker gets the second
Address Pag*
www.juggyboy.com Attacker's page
P o ison e d S erve r Cache
GET http://jug g yboy.com /index.htm l
HTTP/1.1
Pragma: no-cache
Host: juggyboy.com
Accept-Charset: iso-8859-1, *,u tf8־
GET http://jug g vboy .co m /
redir.php?site=%Od%OaContent-
Length :%200%0d%0a%0d%0aHTTP/l.l%2
02(X>%20OK%0d%0aLast-
Modified :%20Mon,%2027%200ct%20200
9%2014:50:18%20GMT*0d%0aConte nt-
Length :%2020%0d%0aContcnt•
Typc:%20text/htmf%0d%0a%0d%0a<html
>Attack Pagc</html> HTTP/1.1
Host: Juggyboy.com
GET
http ://juggyboy.co m/ind ex .htm l
HTTP/1 .1 Host: testsite.com
User-Agent: M ozilla /4 .7 [en]
(W inNT; I)
Accept-Charset: iso -8 85 9-l,*,u tf8־
C o pyrigh t © b y EG-G(IIIICil. All R ights Reserved. R ep rod uc tion is S trictly P rohibited.
Web Cache Poisoning Attack
W e b c a c h e p o is o n in g is an a t ta c k th a t is c a rr ie d o u t in c o n tra s t to th e r e lia b i lity o f an

in t e rm e d ia te w e b c a c h e s o u r c e , in w h ic h h o n e s t c o n t e n t c a c h e d fo r a r a n d o m U RL is s w a p p e d
w ith in fe c te d c o n te n t . U se rs o f th e w e b c a che s o u rc e ca n u n k n o w in g ly us e th e p o is o n e d
c o n te n t in s te a d o f tr u e a n d s e c u re d c o n t e n t w h e n d e m a n d in g th e re q u ir e d U RL t h r o u g h th e
w e b ca c h e .
A n a tt a c k e r fo rc e s th e w e b s e rv e r's c a c h e to flu s h its a c tu a l c a c h e c o n t e n t a n d s e n d s a sp e c ia lly
c r a ft e d re q u e s t to s to re in ca ch e . In th e f o llo w in g d ia g ra m , th e w h o le p ro c e s s o f w e b ca c h e
p o is o n in g is e x p la in e d in d e t a il w i t h a s te p -b y - s te p p ro c e d u r e .
Ethical Hacking an d C oun term easures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M odule 12 Page 1624