How to Hack a Web Server

Check Page Rank of your Web site pages instantly:

This page rank checking tool is powered by PRChecker.info service

Functioning of a Web Server

Internet has become a part and parcel of our daily lives. Surfing the net is facilitated by complex mechanisms at the room of which lies the entering of web address of the desired site. Entering domain name in the URL ( Universal Resource Locator) will cause the URL to be separated in three parts, namely the protocol , server name and the field name . Suppose , we have chosen the URL http://www.ebay.in/web-server.htm; here http is the protocol , www.ebay.in is the name of the server , and web-server.htm is the file name.

The chosen browser (Internet Explorer, Firefox ,Chrome etc.) communication with the name of server for translating the entered server name ‘www.ebay.in into an IP address. This ip address is used for connecting the server in which information of the chosen site is stored. Port 80 is used as bridge for allowing the browser to establish a connection to the server at the generated IP address.

The http protocol acts as a cynosure following which the browser transmits a ‘get’ request to the desired server, demanding information pertaining to the file http://www.ebay.in/web-server.htm. In response to this , the server transmits the HTML text for the desired web page to the browser. The browser is capable of deciphering the HTML tags and formats the page intuitively to suit your computer’s screen.

Loopholes of Web Server /Web Application

The web server is vulnerable to a host of potential attack modes which tend to compromise the performance and security. The loopholes in the web server can be exposed and exploited by

• Injection Attacks
• PHP Remote File Includes
• Cross Site Scripting (XSS)
• Cross Site Request Forgeries (CSRF)
• Insecure Communications

Some web server that rank higher on the popularity scale are:

• Apache Server
• Microsoft IIS Server
• IBM Lotus
• Lighttpd

Vulnerability of the Apache Server

• CVE-2013-2249 – mod_session_dbd.c in the mod_session_dbd module in the apache HTTP Server before 2.4.5 moves forward with save operations for a given session without factoring in the dirty flag and the need for a new session ID , which is rife with unspecified actions and remote attack vectors.
• CVE-2013-1896 – mod_dav.c in the Apache HTTP Server before 2.2.25 fails to ascertain properly the enabled status of the DAV for a given URL. This Facilitates launching of a  denial of service (segmentation fault ) assault by remote attackers through a ‘Merge’ request. IN this request , the URI has been setup to be handled by the mod_dav-svn module, however a given href attribute points to a non-DAV URI.
• CVE-2013-1862 – mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 . Here the data’s written in a log file without the sensitization of the non printable characters. This leaves scope for execution of arbitrary commands by the remote attackers through an HTTP request that contains an escape sequence for a terminal emulator.
• CVE-2012-4558 – Multiple cross site scripting (XSS) vulnerabilities in the balancer_handler function in the manage interface in mod_proxy_balancer.c in the mod_proxy_balancer  module in the Apache HTTP Server 2.2.x before 2.4.x .This permits injection of arbitrary web  script of HTML by remote attackers through a crafted string.
• CVE-2012-4557 – The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 . It puts in a worker node into a error condition when it detects a log request processing time. this facilities causing of a denial service (worker consumption ) by remote attackers through an expensive request.
• CVE-2012-3502 : The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 . Proper assessment of the situation that demands for closing a back end connection is not done. This makes it easy for remote attackers to gain access to critical information in opportunistic situation by deciphering a response , which was meant for a different client.

Ways to Launch Assault against IIS Server

• Path Traversal
• Known Worms
• Remote Command Execution
• Probes
• Denial of Service Attacks
• Compromised Servers

IIS Server Components

Efficient configuration of an IIS server requires proper understanding of the critical IIS components at first. The IIS server components have a wide range, but the prominent IIS components have been enumerated below for ready reference.

1. HTTP protocol stack (http.sys)
2. WorkerProcess
3. WWW Service Administration and Monitoring
4. HTTP Protocol Stack (HTTP.sys) – During the creation and hosting new website, IIS carry out the registration of the site through http.sys . IT responds to the entire array of hyper text transfer protocols for the website.
5. http.sys is a driver used by IIS. In IIS , fast processing of requests and non-interruption of service in the event  of the failure of a worker process is ensured . The following services in IIS 6.0 are provided by Http protocol stack:
6. Routing HTTP services to the proper request queue.
7. Caching of requests in kernel mode and the last one is carrying out text based logging for WWW service.
8. Worker processes – The requests such as returning a static page or running a CGI handler are processed. The IIS can be configured for running multiple worker processes.
9. WWW Service Administration and Monitoring – Like http.sys and worker process this component is built in with core IIS functionality that never loads external code. it is responsible for the management of the worker processed . It includes starting the worker process and maintaining the information about running worker process

IIS Director Traversal

Microsoft Internet Information Server (IIS) offers to ability to a remote to gain insights of the directory listing on the Web server . This is due to loophole in Web Distributed Authoring and Versioning (WebDAV) search function. This vulnerability can be exploited by a remote attacker to search for and view certain files on the system such as .inc files which may carry critical authentication information pertaining to usernames and passwords .

These issues can be resolved by employing the below mentioned efforts:

The ” index this resource ” option should be necessarily disable for directories containing critical information.

In the event that the index server is not required in active use, the same should be disabled or uninstalled

Unicode and Unicode Directory Traversal Vulnerability

The Unicode vulnerability of the IIS server has been exploited by Red Worm, and Red Worm II, and Nimda worm for achieving their ulterior objectives. There are two major vulnerabilities . The first vulnerability pertains to is IIS/PWS Extended Unicode Directory Traversal Vulnerability whereas the second vulnerability is related to IIS/PWS Escaped Character Decoding Command Execution Vulnerability .

Hacking Tool:

There are some hacking tools available on the web , which may be exploited by even inexperienced hackers to break into the security of IIS servers. The most important of the are listed below.

IISxploit.exe

                                    IISxploit

execiis-win32.exe: Another hacking tool which exploits the IIS directory traversal and accepts command from a cmd prompt for execution of the exploit on the IIS server.

                         execiis-win32

RPC DCOM Vulnerability

The RPC DCOM vulnerability is present in the windows component object model subsystem , which is a critical service put in active use by a majority of windows applications . it has been detected in 2003s july . The DCOM service is activated by default in Windows NT , 2000, XP , and 2003 . The RPC protocol makes way for a program to execute run code on a remote machine . This allows the attackers to search for the vulnerability in COM via any of the given ports:

Port 135 – Remote Procedure Call

Port 139 – NetBios session service runs on this port and all the file and printer sharing on a windows machine runs over this port

Port 445 – TCP port 445 is used for direct TCP/IP MS Networking access without requiring the intervention of a NetBIOS layer.

Port 593 – HTTP RPC Ep Map , Distributed Component Object Model and Microsoft Exchange Server services.

Hot Fixes and Patches

Hot fix refers to a code, which is used for fixing a bug in the product. Users of the product will come to know about hot fixes through notification published on the vendor’s website. Product clients can come to know about the same also through emails from the vendor. Hotfixes sometimes come packaged as asset of fixes known as combined hot fix or service pack. A patch can be viewed as a repair job done to attend a programming problem which attempts to provide an alternate code which is thoroughly rid of the known vulnerability of previous code.

Countermeasures of Web Server

• One should use well configured and acclaimed firewalls only for heightened security
• The administrator account should be renamed in a manner it is not easily predictable
• If any unused application if floating around , the same should be removed
• Disable directory browsing
• Service Packs, Hot Fixes , and Templates
• Analysis of Malicious input in forms and Query Strings so that the attacker cannot exploit the inherent vulnerabilities of that
• Disabling of Remote Administration

By adhering to the aforementioned steps , you can minimize the risk of external malicious attacks on the IIS server by hackers.

Our Facebook:- www.facebook.com/erusbond

Thank You 

Your:- Swetabh suman