Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

• IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities.

• Example: Server side scripting, Content Indexing, Web Based printing etc.

• This architecture provides attackers with different functionality to exploit via malicious input.

IIS consists of several components. These include:

• Background Intelligent Transfer Service (BITS) server extension: BITS is a background file transfer mechanism used by applications such as Windows Updates and Automatic Updates.

• Common Files: On a dedicated Web server, these files are required by IIS and must always be enabled.

• File Transfer Protocol (FTP) Service: Allows the Web server to provide FTP services. This component is not required on a dedicated Web server. However, this may be enabled on a server that is only used for posting content, to support software such as Microsoft FrontPage® 2002 without enabling FrontPage 2002 Server Extensions. Because the FTP credentials are always sent in plaintext, it is recommended to connect to FTP servers through a secured connection, such as those provided by IPSec or a VPN tunnel.

• FrontPage 2002 Server Extensions: Provides FrontPage support for administering and publishing Web sites. On a dedicated Web server, this must be disabled when no Web sites are using FrontPage Server Extensions.

• Internet Information Services Manager: Administrative interface for IIS. This is to be disabled when the Web server is not administered locally.

• Internet Printing: Provides Web-based printer management and allows printers to be shared by using HTTP. This component is usually not required on a dedicated Web server.

• NNTP Service: Distributes, queries, retrieves, and posts Usenet news articles on the Internet. This component is not required on a dedicated Web server.

• SMTP Service: Supports the transfer of electronic mail. This component is not required on a dedicated Web server.

• World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server. If this component is not enabled, then all subcomponents are not enabled.

  • Active Server Pages: Provides support for Active Server Pages (ASP). Disable this component if none of the Web sites or applications on the Web server uses ASP.

  • Internet Data Connector: Provides support for dynamic content provided through files with .idc extensions.

  • Disable this component if none of the Web sites or applications on the Web server includes files with .idc extensions.

  • Remote Administration (HTML): Provides an HTML interface for administering IIS. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

  • Remote Desktop Web Connection: Includes Microsoft ActiveX® controls and sample pages for hosting Terminal Services client connections. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.

  • Server-Side Includes: Provides support for .shtm, .shtml, and .stm files. Disable this component if none of the Web sites or applications on the Web server includes files with these extensions.

  • WebDav Publishing: Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Disable this component on a dedicated Web server.

  • World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server.

• One of the most extreme security vulnerabilities associated with ISAPI DLLs is the buffer overflow.

• In 2001, IIS servers were ravaged by versions of the Code Red and Nimda worms which were both based on buffer overflow exploits.

ISAPI - Introduction

Internet Server Application Programming Interface (ISAPI) is an API developed to provide the application developers with a powerful way to extend the functionality of Internet Information Server (IIS). ISAPI allows web developers to develop custom code that provides additional web services. This custom code can either be implemented in an ISAPI filter, if the new functionality provides a low-level service, or conversely an ISAPI extension, if the new functionality provides a high-level service. Although ISAPI extensions are not limited to IIS, they are extensively used in conjunction with web servers.

Internet Information Services (IIS) has been consistently targeted for attacks. Server administrators have been overwhelmed by more than 100 vulnerabilities discovered in IIS web servers in just the last few years alone. It has been seen that when a web server is attacked, the attacker usually tries to run certain commands or access certain files.

For instance, one popular command that an attacker is likely to run during the course of the attack is cmd.exe. Another file that is likely to be of interest to an attacker on IIS is global.asa, which often contains passwords or other sensitive information. Previously, many exploits on IIS have involved traversing directories, viewing server-side scripts, or running a remote command.

::$DATA IIS Vulnerability

Microsoft's Internet Information Server (IIS) contained a vulnerability in how it handles the multiple data streams NTFS provides for each file. The $DATA vulnerability, published in mid-1998, resulted from an error in the way the Internet Information Server parsed file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it was possible to use IIS to access this data stream from a browser.

By doing so the attacker could display the code of the file containing that data stream and any data that the file held. This method could be used to display a script-mapped file that could normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. By appending the string ::$DATA, a remote user could view the contents of a file that is normally set to be acted upon by an Application Mapping, such as Active Server Pages (ASP). The attacker, however, must previously have read access to this file to view its contents. This attack could allow a user to read potentially proprietary and compromising script source. This vulnerability affected Microsoft IIS versions earlier than 3.0.

Showcode.asp

Showcode.asp is a script that allows a web developer to easily view the code for a number of examples included with Internet Information Server. It comes under several different guises, including showcode.asp, viewcode.asp, and codebrws.asp among others. Essentially it lets the developer view the code of a server-side script without executing it. The problem is that it does not just stop at that because with some manipulation of the URL it lets an attacker view any file on the same drive as the script. With a little playing around one can easily compromise an entire server and any sensitive information it contains.

Showcode.asp is included as an example with the Microsoft Data Access Components that are installed with a number of products or that can be installed individually. The default install location is C:\Program Files \Common Files \SYSTEM\MSADC. In a web server, that subdirectory is also mapped as a virtual directory named MSADC off the web root.

Showcode.asp takes a single argument indicating the name of the file that is to be viewed. Though the sample code was initially intended to view code samples in the MSADC directory, a malicious user can start prodding by taking a path with MSADC and then use directory traversal to move up the directory tree and on to any path on the same drive. The vulnerability occurred because the sample script failed to check for that double-dot in the script's argument thereby making it exploitable.

Piggy-backing privileged command execution on back-end database queries (MDAC/RDS)

MDAC is a package used to integrate Web and database services. It includes the RDS component that provides remote access to database objects through IIS. By exploiting vulnerabilities in RDS depending on the security posture of the website, attackers can send random SQL commands that manipulate the database or retrieve any desired information. In this specific case, the attacker can even gain administrative rights by embedding the shell () VBA command into the SQL command and execute any highly privileged system commands.

Buffer Overflow Vulnerabilities

A buffer is an area of memory within a program that has used to store data of some kind - for instance, information on the program's status, intermediate computational results, or input parameters. Before placing any data into a buffer, the program should always verify that the buffer is large enough to accommodate all of the data.

Otherwise, the data can overrun the buffer and overwrite neighboring data, having the effect of modifying the program while it's running. If the data that overruns the buffer is random data, it won't be valid program code, and the program will fail when it tries to execute the random data. On the other hand, if the data is valid program code, the program will execute the new code and perform some new function - one chosen by whoever supplied the data. Practically exploitable remote buffer overflows on Windows are rare, but on IIS, the exploit scene is different. The first was the .htr buffer overflow exploit against IIS 4, discovered by eEye Digital Security in June 1999. On IIS, the severity of buffer overflows are high because IIS runs under the SYSTEM account context, buffer overflow exploits often allow arbitrary commands to be run as SYSTEM on the target system.

Some of the buffer overflows that have been seen are:

• Internet Printing Protocol (IPP) buffer overflow

• Indexing services ISAPI extension buffer overflow

• Code Red Worm

• FrontPage 2000 server extension buffer overflow

• The Apache Week tracks the vulnerabilities in Apache Server. Even Apache has its share of bugs and fixes.

• For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20.

  • Long URLs passing through the mod_negative, mod_dir and mode_autoindex modules could cause Apache to list directory contents.

  • The concept is simple but requires a few trial runs.

  • A URL with a large number of trailing slashes:

    • /cgi-bin /////////////////////////// / could produce directory listing of the original directory.

The popular web servers are Apache Web Server, Internet Information Server and Sun ONE Web Server.

The Apache Web Server is an open-source web server for modern operating systems including UNIX and Windows NT. The server provides HTTP services in sync with the current HTTP standards in an efficient and extensible environment.

The Java Web Server / Sun ONE Web Server is one of the other highly available Web servers on the market. Microsoft's Internet Information Server is another popular server used by a sizable percentage of websites.

• The browser breaks the URL into three parts:

  1. The protocol ("http")

  2. The server name ("www.website.com")

  3. The file name ("webpage.html")

• The browser communicates with a name server, which translates the server name, www.website.com, into an IP address

• The browser then forms a connection to the Web server at that IP address on port 80.

• Following the HTTP protocol, the browser sends a GET request to the server, asking for the file http://webpage.html.

• The server sends the HTML text for the Web page to the browser.

• The browser reads the HTML tags and formats the page onto the screen.

Let us take a look at the basic working of a web server. What happens when you type http://www.eccouncil.org/Certification.htm in your browser?

• The browser differentiates the URL into three parts:

  1. The protocol ("http")

  2. The server name (www.eccouncil.com)

  3. The file name ("Certification.htm")

• The browser initiates the connection by communicating with a name server to translate the server name www.eccouncil.com into a valid IP Address.

• It then uses this IP address to connect to the target web server machine.

• The browser then establishes a connection to the web server at the specific IP address on port 80. This is the default port. (It can be any other port as well)

• According to the HTTP protocol, the browser sends a GET request to the server, to retrieve the file "http://www.eccouncil.org/certification.htm"

• The web server then sends the HTML text for the particular Web page to the browser.

• The browser reads the HTML tags and formats the page on the user's screen.

Other HTTP methods like POST, PUT, are used in subsequent communications if needed. The response from the server includes the HTTP response code suitable for the result of the request. In the case of successful data retrieval, an HTTP 200 OK response is generated. Other HTTP response codes exist: common ones include 404 Not Found, 403 Access Denied, and 302 Object Moved (often used to redirect requests to a login page to authenticate a user).

• Apache Web Server

• IIS Web Server

• Sun ONE Web Server

• Nature of Security Threats in a Web Server Environment.

  • Bugs or Web Server Misconfiguration.

  • Browser-Side or Client Side Risks.

  • Sniffing

  • Denial of Service Attack.

The Internet is probably where security or the lack of it is seen the most. Often, a breach in security causes more damage in terms of goodwill than the actual quantifiable loss. This makes the security of web servers assume critical importance. Most organizations consider their Internet presence as an extension of themselves. In this module, we will explore:

• The basic function of a web server

• Popular web servers and common vulnerabilities

• Apache Web Server and known vulnerabilities

• IIS Server vulnerabilities

• Attacks against web servers

• Tools used in Attack against web servers

• Countermeasures that can be adopted

This module attempts to highlight the various security concerns in the context of a web server. Readers are encouraged to supplement this module by following vulnerability discussions on various mailing lists such as bugtraq and security bulletins issued by third party vendors for various integrated components.

1. Use Encryption

2. Use a secure protocol

3. Limit incoming connections

4. Minimize remote access

5. Have strong authentication.

This security tool can remotely display all active sessions on a terminal server, router, dial-in server, access server, etc. The user can reset any TCP session remotely.

Resetting a connection is simple.

1. Start up the remote TCP session reset

2. Enter the IP address of the machine whose connection is to be reset.

3. Enter the read-write community string.

4. Click on connect to retrieve a list of active TCP connections

5. Click on the connection that is to be disconnected, and select 'Break' from the toolbar.