The hacker's guide to website security

2. Active reconnaissance

Step 1: Scanning

Scanning is one of the most important phases of intelligence gathering. The attacker gathers information about the target's server OS, system configuration, services running and vulnerabilities. The idea is to discover exploitable communication channels and find various ways to intrude the target system. This is equivalent to a burglar trying the doors and windows of a house.

Port scanning is the process of determining which services are running on the target server by sending a sequence of preformed messages. It involves connecting to TCP and UDP ports on the target to determine if the services are running and listening.

A listening service on a server is basically a program that communicates with the outside world. These programs listen on ports. There are standard ports such as 21 for FTP, 25 for Email, 80 for web traffic etc. Some ports are of more interest than others, as they can provide an easy route into the server if left either badly configured or with their default settings enabled (for example, anonymous users on FTP). Once a listening service is discovered, more attacks can be launched.

Ethical hacker: "I select two targets: the main URL and an IP from the Net Block. I don't want to alert the sys admins, in case there's an IDS box or firewall in front. I need a tool that can perform an idle scan so I'll use the best, NMAP (nmap.org). The scan reveals some interesting open ports and the IDS or firewall didn't even know! I can see the standard 25,80,122,443,53 open.

"Now on to the second server. Rather than an idle scan, I'll perform a SYN scan just to see which ports are open. I can see 3389, which is a Windows remote desktop port, 80 and more interestingly, port 3306 filtered. This indicates that there's a MySQL server running, but I'll confirm that later."

Countermeasures: The main defence against port scanning is a firewall. Properly configured, you can restrict at an IP level who has access to which port. However, public ports such as 25, 80 and 443 can never be restricted. If you want to spend the money, some top-end firewalls will detect the types of scans that can be performed and block the requesting IP. Once an attacker sees that a port is filtered, they know there's a firewall in place.

Outgoing firewall rules are as important as incoming. For example, the attacker may be successful at uploading a script that can tunnel through port 80. If your firewall allows incoming and outgoing port 80 connections then the tunnel will work. However, blocking outgoing port 80 will stop the tunnel.

Step 2: Identify the server OS

Identifying the server OS is the next step. Once it's known, a search for vulnerabilities can be started. Vulnerabilities don't have to be remote, as once an application has been compromised, a local user may be able to escalate their privileges to administrator or root. There are several techniques for identifying the OS but an experienced hacker will know just by looking at the port scan output.

Ethical hacker: "I need to confirm the server's operating system. As port 25, 53, 80, 122, 443 and 3306 could be running Linux or Windows I'll use Xprobe2 to test. Just as I thought: it's a Linux server, CENTOS 5.2. Port 53 was the giveaway. I'm not sure what port 122 is, though. As the other server is running ms-term-serv, that's a Windows server for sure. I just need to find which version."

Countermeasures: As there are so many techniques for determining the OS, there's very little that can be done to countermeasure this.

Step 3: Banner grabbing

This involves connecting to the server ports and passing some information that will return, at best, the application name and version number. Most applications will advertise themselves and give away their version numbers. Once the application and version number is known, it can be checked against a list of known vulnerabilities.

Knowing the application and version number isn't always that valuable, though, as some fully patched applications don't always update the version number.

Ethical hacker: "Let's identify the applications and versions. On the Linux server we have port 25, 53, 80, 122 and 443. I already know what the services are, apart from 122, but let's see if I can get the version numbers. I'll keep it simple and use Telnet. Port 25-Sendmail version 8.13.8, Port 53-DNS, Port 80-Apache 2.2.3, Port 443 HTTPS Apache 2.2.3 and port 122 is SSH version 2-4.3!

HELP IS AT HAND: For info on how to secure your IIS server, including the latest updates, visit msdn.microsoft.com

The sys admin is trying to be sneaky. On the Windows server there's IIS running, MS Terminal Server and MySQL. IIS is version 6.0. Via the terminal server client I can see that it's Windows Server 2003 – unpatched, I bet. I know that Port 3306 is MySQL, but it's filtered rather than closed. This tells me that there's a firewall configured in front of the servers and it's filtering MySQL connections from another server."

Countermeasures: Most applications allow you to change the advertised banner, somewhere. You may have to dig deep but you should be successful. For example, Apache has a directive "ServerSignature", which can be set to OFF. With SENDMAIL you need to change the sendmail.cf file. For IIS you can use the IIS Lockdown tool.

Something else you can do is conceal the file extensions, since the file extensions can give clues to the operating system you're running.

Step 4: Web server application scan

The reconnaissance process has its uses but unless there's a fundamental weakness there's no way to exploit the server. However, it's useful to map out the network and potentially discover hidden gems.

During the name server search, a number of additional host names and subdomains could be discovered. System administrators and developers often forget about these and leave old test scripts, data and vulnerable applications that have been downloaded for tests but never updated.

A paramount step in testing for web application vulnerabilities is to find out which particular applications are hosted on a web server. Many applications have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or to exploit data. In addition, many applications are often misconfigured or not updated, due to the perception that they're only used 'internally' and therefore no threat exists.

Ethical hacker: "Let's look to see if I can find any juicy pieces of information on these websites. I'll use an Amazon Virtual server to hide my real IP from the sys admin (not that they'll look in the logs anyway). From my passive reconnaissance, I can see that on the Linux server there are five websites hosted and two with subdomains. On the Windows servers I can't see any websites, even though IIS is running.

Starting with the Linux server I'll run the web file scanner, Nikto. I can see a robots. txt, /administration, phpinfo.php, /test, /manual, phpmyadmin, /downloads, /forum and /bakups. The robots.txt file lists the directories that the search engine shouldn't spider but that doesn't stop me looking at them. I can see /includes, /administrator, /cache/, /components/, /images/, /includes/, /installation/, /language/, /libraries/, /media/, /modules/, /plugins/, /templates/, /tmp/, /xmlrpc/. Let's look at phpinfo.php.

As I suspected, it's the PHP information. This will give me some information regarding the installation of PHP. I note the version, paths and installed extensions.

● /administration next. Joomla installation. No version number. I look at the source. The meta tag tells me it's 1.5. There are plenty of security updates for 1.5.
● /Forum. This leads me to a forum for the website. Looking at the footer I can see it's Vbulletin, but no version number. A quick Google search shows me the administration link – /admincp, the admin control panel screen – but still no version. I look at the page source and there it is: version 3.6.8 on the alt tag for the Vbulletin logo – how stupid. I'll search for a hack later.
● /test. There's a copy of a website here.
● /manual. A copy of the Apache manual.
● /bakups. Some old tar files. Worth a look.
● /phpmyadmin. Installation of phpMyAdmin version 3.2.5. The latest version but still an opportunity to test the username and password. Username is generally root.
● /downloads. I can see a Joomla tar file. This may mean Joomla is installed somewhere.

"I move on to the Windows server. The default IP address page confirms it's II6, but there don't seem to be any websites on this server, which must mean it's used for some other purpose. With MySQL and terminal services I'm guessing it's used for some database work."

Countermeasures: Don't leave old or unwanted files on the server. Make sure all installed third-party software is up to date. If you have a login page, can you restrict the IPs that can access it? You can't restrict access to the robots.txt file, so ensure there isn't any valuable information in there.