Finding Default Credentials of a Web Server
The admins or security personnel use administrative interfaces to securely configure, manage, and monitor web application servers. Many web server administrative interfaces are publically accessible and are located within the web root directory. Often these administrative interface credentials aren’t properly configured and remain set to default. Attackers attempt to identify the running application interface of the target web server by performing port scanning. Once the running administrative interface is identified.
The attacker performs following techniques to identify the default login credentials:
1. Consult the administrative interface documentation and identify the default passwords
2. Use Metasploit’s built-in database to scan the server
3. Use online resources such as Open Sez Me (http://open-sez.me) and cirt.net (https://cirt.net/passwords) to find the default passwords
4. Attempt password-guessing and brute-forcing attacks
Finding these default credentials can gain access to the administrative interface compromising the respective web server and indeed Vowing the attacker to exploit the main web application itself.
cirt.net is the lookup database for default passwords, credentials, and ports.
Following are some of the additional websites for finding web server administrative interface default passwords:
Finding Default Content of Web Server
Most of the web applications’ servers contain default content and functionalities allowing attackers to leverage attacks. Following are a number of the common default contents and functionalities that an attacker tries to spot within the web servers:
• Administrators debug and test functionality
Functionalities that are designed for the administrators to debug, diagnose, and test the web applications and web servers contain useful configuration information and run-time state of both server and its running applications. Hence, these functionalities are the most targets that lure the attackers.
• Sample functionality to demonstrate common tasks
Many servers contain various sample scripts and pages that are designed to demonstrate certain application server functions and APIs. Often, web server fails to secure these scripts from the attackers since these sample scripts either contain vulnerabilities which will be exploited by attackers or implement functionalities that allow attackers to exploit.
• Publically accessible powerful functions
Some web servers include powerful functionalities that are intended for administrative personnel and restrict from public use. However, attacker tries to exploit such powerful functions to compromise the server and gain access. for example, some application servers allow the web archives to be deployed over an equivalent HTTP port as that used by application itself. Attacker uses common exploitation frameworks like Metasploit to perform scanning to spot the default passwords, upload backdoor, and gain command shell access to the target server.
• Server installation manuals
An attacker tries to identify the server manuals which will contain useful information about configuration and server installation. Accessing this information allows the attacker to prepare appropriate framework to exploit the installed web server.
You can use tools such as Nikto 2 and exploit databases such as SecurityFocus (http://www.securityfocus.com) to identify the default content.
Nikto is a vulnerability scanner that is used extensively to identify potential vulnerabilities in web applications and web servers.
Finding Directory Listings of Web Server
When a web server receives a request for the directory rather than the particular file, the web server responds to the request within the following ways:
• Return Default Resource within directory
It may return a default resource within the directory, like index.html
• Return Error
It may return an error, like the HTTP status code 403, indicating that the request isn’t permitted
• Return listing of directory content
It may return a listing showing the contents of the directory. A sample directory listing is illustrated within the above screenshot.
Though the directory listings don’t have significant relevance from security point of view, these directory listings sometimes possess the following vulnerabilities that allows the attackers to compromise web application.
• Improper access controls
• Unintentional access to web root of servers
In general, after discovering the directory on the web server, the attackers make a request for an equivalent directory and try to access the directory listings. Attackers also try to exploit vulnerable web server software that provides access to the directory listings.
Vulnerability scanning determines vulnerabilities and misconfigurations of a target web server or a network. Vulnerability scanning find s possible weaknesses in a target server to exploit during a web server attack. An attacker uses various automated tools to perform vulnerability scanning on a target server. Attackers use sniffing techniques to get data about network traffic to find out active systems, network services, and applications within the vulnerability-scanning phase. you’ll use tools like Acunetix Web Vulnerability Scanner to perform vulnerability scanning and find hosts, services, and vulnerabilities.
• Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner scans websites and detects vulnerabilities. Acunetix WVS checks web applications for SQL injections, XSS, and so on. It includes advanced pen testing tools to ease manual security audit processes and creates professional security audit and regulatory compliance reports supported AcuSensor Technology that detects more vulnerabilities and generates fewer false positives. It supports testing of web forms and password protected areas, pages with CAPTCHA, single sign-on, and two-factor authentication mechanisms. It detects application languages, web server types, and smartphone-optimized sites. Acunetix crawls and analyzes different types of websites including FITML5, SOAP, and AJAX. It supports scanning of network services running on the server and port scanning of the web server.
Following are some of the additional vulnerability scanning tools:
Fortify WebInspect (https://software.microfocus.com)
Finding Exploitable Vulnerabilities
The software designing flaws and programming errors cause security vulnerabilities. An attacker takes advantage of those vulnerabilities to perform various attacks on confidentiality, availability, or integrity of a system. Attackers exploit these software vulnerabilities like programming flaws during a program, service, or within the OS software or kernel to execute malicious code.
Many public vulnerability repositories are available online that allow access to Information about various software vulnerabilities. Attackers search for a web server exploitable vulnerabilities based on the web server’s OS and software application on exploit sites like Security Focus (http://www.securityfocus.com) and Exploit Database (Error! Hyperlink reference not valid.). Attackers use information gathered within the previous stages to find the relevant vulnerabilities by using More Options button.
Exploiting these vulnerabilities allows attacker to execute a command or binary on a target machine to gain higher privileges than the existing or bypass security mechanisms. Attackers using these exploits can even access privileged user accounts and credentials.
Sniff valid session IDs to gain unauthorized access to the web server and snoop the data. An attacker can hijack or steal valid session content using various techniques like session token prediction, session replay, session fixation, side-jacking, XSS, and so on. Using these techniques, an attacker tries to capture valid session cookies and IDs in established sessions. Attacker uses tools like Burp Suite, Firesheep, JHijack, then on to automate session hijacking.
• Burp Suite
Burp Suite may be a web security testing tool which will hijack the session identifiers in established sessions. The Sequencer tool in Burp Suite tests the randomness of session tokens. With this tool, an attacker can predict the next possible session ID token, and use that to require over a legitimate session.
Following are some of the additional session hijacking tools:
- Firesheep (https://codebutler.com)
- JHijack (https://sourceforge.net)
- Ettercap (https://ettercap.github.io)
- CookieCatcher (https://github.com)
- Cookie Cadger (https://www.cookiecadger.com)
Web Server Passwords Hacking
In this phase of web server hacking, an attacker tries to crack web server passwords. An attacker tries all possible techniques of password cracking to extract passwords, including password guessing, dictionary attacks, brute force attacks, hybrid attacks, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, and so on. An attacker needs patience, as some of these techniques are tedious and time-consuming. An attacker also can use automated tools like hashcat,THC Hydra, ncrack, then on to crack web passwords and hashes.
Hashcat is a Multi-OS, Multi-Platform compatible cracker that can perform Multi-Hash (MD4, 5; SHA— 224, 256, 384, 512; RIPEMD-160 etc.), Multi-Devices password cracking. The attack modes of this tool are straight, combination, brute force, Hybrid dict + mask, and Hybrid mask + dict.
Following are the features of Hashcat:
* Multi-OS (Linux, Windows, and OSX)
* Multi-Platform (CPU, GPU, DSP, FPGA, etc., everything that comes with an OpenCL
* Multi-Hash (MD4, 5; SHA — 224, 256, 384, 512; RIPEMD-160 etc.)
* Multi-Devices and Device-Types
* Supports distributed cracking networks (using overlay)
* Supports interactive pause/resume
* Supports sessions and restore
* Supports reading password candidates from file and stdin
* Supports hex-salt and hex-charset
* Supports automatic performance tuning and automatic key space ordering Markovchains
* Built-in benchmarking system and integrated thermal watchdog
Following are some of the additional password cracking took:
– THC Hydra (https://www.thc.org)
– Ncrack (https://nmap.org)
– Rainbow crack (http://project-rainbowcrack.com)
– Wfunzz (http://edge-security.com)
– Davegrohl (https://github.com)
– Medusa (http:foofus.net)
– Wireshark (https://www.wireshark.org)
Using Application Server as a Proxy
Sometimes, web servers are configured to perform functions like forwarding or reverse HTTP proxy. Web servers with these functions enabled are employed by the attackers to perform following attacks:
• Attacking third-party systems on internet
• Connecting to arbitrary hosts on the organization’s internal network
• Connecting back to other services running on the proxy host itself
Attackers use GET and CONNECT requests to use vulnerable web servers as proxies to attach and acquire information from target systems through these web servers.
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com