Security Made Simple Series - PowerPoint PPT Presentation

1 / 48

About This Presentation

Title:

Security Made Simple Series

Description:

Lockdown procedures/local security policy. AntiVirus. Malware/spyware ... Free and Economical Security and Performance Monitoring Tools ... – PowerPoint PPT presentation

Number of Views:212

Avg rating:3.0/5.0

Slides: 49

Provided by: michaele66

Category:

more less

Transcript and Presenter's Notes

Title: Security Made Simple Series

1
Security Made SimpleSeries

Web Hackology
A Primer in Web Hacking and Securing your Web
Servers

2
Outline

Attack points
Policy
Architecture
OS and web server configuration
Tools
Web content checks
Web application programming hacks

3
Attack Points
4
Administrative Security Policy

Network architecture
OS configuration
Web server configuration and components
Frontpage permitted
HTML admin interface
Ports permitted
Operational readiness procedures
Remote administration procedures
Change control and update procedures
Security monitoring procedures
Performance monitoring procedures

5
Network Architecture
6
Recommended Network Architecture
7
Network Architecture

IDS
Dumb down web attack rules
Use connection-based rules
ARP spoofing
Port usage
TCP any 102465535 ltgt web server 80
TCP any 102465535 ltgt web server 443
DNS
NTP
Updates (OS/Web server/AV)
Security Monitoring (syslog or proprietary)
Performance Monitoring
Baseline (MD5-like)
Remote Administration
Access to web app and/or database
Load Balancer
Ensure that individual IPs cannot be accessed
from Internet

8
Security Checklists

www.nsa.gov

9
OS Configuration

Patches
Lockdown procedures/local security policy
AntiVirus
Malware/spyware
TCP wrappers/personal firewall

10
Some Common Web Servers

Microsoft IIS
Apache
Lotus Domino
IBM Websphere
Netscape/iPlanet/Sun One
Mainframe

11
Web Server Configuration

Patches
Lockdown procedures
Admin Security Policy
run as non-privileged user
restrict files from web user/service
use IIS lockdown (Microsoft)
use URLScan (Microsoft)

12
IIS lockdown What does it do?

Disables 'Index Server Web Interface (.idq, .htw,
.ida)' script map
Disables 'Internet Data Connector (.idc)' script
map
Disables 'Server side includes (.shtml, .shtm,
.stm)' script map
Disables '.HTR scripting (.htr)' script map
Disables 'Active Server Pages (.asp)' script map
Disables 'Internet printing (.printer)' script
map
Removes the printer virtual directory
Disables Web Distributed Authoring and Versioning
(WebDAV)
Sets file permissions to prevent anonymous IIS
users from writing to content directories
Sets file permissions to prevent anonymous IIS
users from running system utilities
Removes 'Scripts' virtual directory
Removes 'MSADC' virtual directory
Removes 'IIS Samples' virtual directory
Removes 'IISAdmin' virtual directory
Removes 'IISHelp' virtual directory

13
IIS Lockdown
Before
After
14
URLScan What does it do?

Controls allow/deny verbs
Add TRACK and TRACE to list
Controls allow/deny extensions
Limits URL lengths
Normalizes http pre-processor
A must with IIS 5.5 and earlier
Using URLScan w/ IIS 6.0
RemoveServerHeader
DenyUrlSequences
Can be used to remove SQL tick()

15
Ways to Identify Vulnerabilities

Security Focus
Bug Traq
Vendor info
Hacker web sites
Internet searches
Hacker tools

16
Hacker and Commercial Tools

Nikto
N-Stealth
Whisker
Teleport Pro
Brutus
stunnel
Nessus
ISS Internet Scanner
NAI CyberCop Scanner
Retina
latest version of IE
Netscape 4.78

17
How to identify the web host

Telnet to port 80
c\gttelnet www.website.net 80
HTTP/1.0 501 Not Implemented
Connection close
Server zWeb-Host-VSE/1.7.0
Content-Type text/html
ltHTMLgtltHEADgtltTITLEgtERROR 501 - NOT
IMPLEMENTEDlt/TITLEgtlt/HEADgt
ltBODY TEXTBLACK BGCOLORWHITEgt
ltH2gtltCENTERgtERROR 501 - NOT IMPLEMENTEDlt/CENTERgt
lt/H2gt
ltBRgtThe request can not be processed because
the requested facility is not implemented by
the web server.lt/BODYgtlt/HTMLgt
Sometimes you may need to enter
HEAD / ltCRgt ltCRgt

18
How to identify the web host

Use stunnel to telnet to port 443
C\stunnelgtstunnel -c -r www.website.com443 -d
443
C\gttelnet 127.0.0.1 443
HTTP/1.1 400 Bad Request
Server Microsoft-IIS/4.0
Date Tue, 22 Oct 2002 230241 GMT
Content-Type text/html
Content-Length 87
lthtmlgtltheadgtlttitlegtErrorlt/titlegtlt/headgtltbodygtThe
parameter is incorrect. lt/bodygt
lt/htmlgt
If using ASP, 95 chance it is IIS

19
Nikto

C\nikto-1.30gtperl nikto.pl -generic -host
10.14.55.68
- SSL support not available (see docs for
SSL install instructions)
--------------------------------------------------
-------------------------
- Nikto 1.30/1.09 - www.cirt.net
Target IP 10.14.55.68
Target Hostname www.mindyourownbiz.net
Target Port 80
Start Time Sun Jul 13 184541 2003
--------------------------------------------------
-------------------------
Server Microsoft-IIS/5.0
Allowed HTTP Methods OPTIONS, TRACE, GET,
HEAD, COPY, PROPFIND, SEARCH, LOCK
UNLOCK
HTTP method 'PROPFIND' may indicate DAV/WebDAV
is installed. This may allow DA
V authorized users to consume system memory via
large requests or fill disk quot
as.
HTTP method 'TRACE' may allow client XSS or
credential theft. See http//www.
cgisecurity.com/whitehat-mirror/WhitePaper_screen.
pdf for details.
Microsoft-IIS/5.0 is outdated if server is
Win2000 (4.0 is current for NT 4)
/ - TRACE option appears to allow XSS or
credential theft. See http//www.cgi

20
N-Stealth
21
Nessus
22
Nessus
23
Nessus
24
Brutus
25
Information Accessibility

Indexing
Access outside root
../../
Hidden information
Links

26
Client Vulnerability Checks

Account info in history file
Disk cache

27
Various Server Vulnerabilities

Modify web data
WebDAV
SSL cipher
SSLv2 vs. SSLv3
Encryption strength
Client certificates
Time synchronization

28
Lotus Domino Files to Protect

setup.nsf
catalog.nsf
admin4.nsf
webadmin.nsf
certlog.nsf
log.nsf
names.nsf
domcfg.nsf
domlog.nsf

29
User Account/Login Security Issues

Login credential check
Login timeout
Report last good/failed login
Account lockout
Concurrent logins
Warning banner
Ability to logout
Password rules
Default usernames/passwords in use

30
Poor Logon Credential Check
Valid account Invalid password
Invalid account Invalid password
A web site should not differentiate between a
non-existent account and an invalid
username/password combination. Ensure that the
responses for an invalid account or a valid
account with an incorrect password are the same.
31
Report last good/failed login
Web sites should report previous login
information and failed login attempts back to the
client.
32
Concurrent Logins
An account in use message should be issued.
33
Account Lockout
An account lockout mechanism should be enabled
34
Sample Warning Banner

This system is for the use of authorized users
only. These systems and equipment are subject to
monitoring to ensure proper functioning, to
protect against improper or unauthorized use or
access, and to verify the presence or performance
of applicable security features or procedures,
and for other like purposes. Such monitoring may
result in the acquisition, recording, and
analysis of all data being communicated,
transmitted, processed or stored in this system
by a user. If monitoring reveals evidence of
possible criminal activity, such evidence may be
provided to law enforcement personnel. Use of
this system constitutes consent to such
monitoring.

http//www.ciac.org/ciac/bulletins/j-043.shtml
35
Sample Password Rules

The password shall contain a combination of at
least six alphanumeric characters, including at
least one alphabetic, one numeric, and one
special (e.g. punctuation) character.
The password shall not contain the associated
user ID.
As an option, dictionary words can be restricted.
No more than two repeating characters.
No sequencing of characters and/or numbers.
Password aging and history should be maintained.

36
Application Programming Hacks

Common Gateway Interface (CGI) Scripts
Buffer underflow/overflow
URL Manipulation
SQL Injection
Cross-Site Scripting (XSS)
Persistent cookie manipulation
Session cookie manipulation
Variable manipulation

37
Use of Basic Authentication Base64 decode

root_at_localhost /tools ./websniff -v
192.168.1.70 2234 gt 172.16.31.45
GET /acid/acid_main.php HTTP/1.1
Accept image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword,
/
Accept-Language en-us
Accept-Encoding gzip, deflate
User-Agent Mozilla/4.0 (compatible MSIE 6.0
Windows NT 5.0)
Host 172.16.31.45
Connection Keep-Alive
Cookie PHPSESSID531d9931581ac33d69d1ca917f206d5d
Authorization Basic c25vcnQ6dGVzdA
---------- USER snort PASS test
----------

38
URL Manipulation

Original URL
http//www.website.com/JSP/Welcome.jsp?CustomerNu
mber1UserNameguest1BaseURLhttp3A2F2Fwww.we
bsite.com2Ftest2FServletURLhttp3A2F2Fwww.we
bsite.com2Ftest2FJSP2FAccessLevel011001RealN
ameGuest28App.User29TextFileLocationc3A5C
trashReportFileLocationc3A5Ctrash5Creports5C
SelfVerifyfalseDSNameWebRemoteDSUserNameadmi
nistratorDSUserPasswordabc123
Changed URL
http//www.website.com/JSP/Welcome.jsp?CustomerNu
mber1UserNameguest1BaseURLhttp3A2F2Fwww.we
bsite.com2Ftest2FServletURLhttp3A2F2Fwww.we
bsite.com2Ftest2FJSP2FAccessLevel111011RealN
ameGuest28App.User29TextFileLocationc3A5C
trashReportFileLocationc3A5Ctrash5Creports5C
SelfVerifyfalseDSNameWebRemoteDSUserNameadmi
nistratorDSUserPasswordabc123

39
URL Manipulation
40
SQL Injection Case 1

The exploit uses a SQL statement to bypass the
password requirement.
The following is an example of the exploit
Customer ID 0003
User ID user99
Password x' OR 1 1 --
The reason this attack works is because it
changes the SQL select statement such that any
query will always return true. For example
SELECT FROM AUTHENTICATION_TABLE WHERE
Username 'username' and Password 'Correct
password'
Is changed to
SELECT FROM AUTHENTICATION_TABLE WHERE
Username 'username' and Password 'x' OR 1 1
-- '
The use of "OR 1 1" will always be true,
therefore the password request will always be
validated.

41
SQL Injection
42
SQL Injection Case 2

The web page was modified with the following code
snippets to protect against the SQL injection
vulnerability previously discovered
// Verify password
function verifyPsw(field)
if (field.search(/(\s"')/) ! -1)
return false
else
return true
//validate the form and submit it
function submitForm
if (ie)
entryForm.BROWSER.value "MSN"
else
if (ns)
entryForm.BROWSER.value "NET"

43
Cross-Site Scripting (XSS)

ltSCRIPT Language"Javascript"gtalert("Hello")lt/SCR
IPTgt

44
Variable Manipulation Case 1

By changing the UserID from 17 to 18, the
user assumes the privileges of another

45
Variable Manipulation Case 2

I used Achilles to intercept the web pages coming
back from the web server

lt!-- Only what they have access to... --gt
lttdgtlta href"JavaScript SystemAdmin()"gtltimg
src"https//website.com/TEST/Images/Main_SystemAd
min.gif" width"93" height"100" alt"Admin"
border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptFileControl()"gtltimg
src"https//website.com/TEST/Images/Main_FileCont
rol.gif" width"93" height"100" alt"File
Control" border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptApplications()"gtltimg
src"https//website.com/TEST/Images/Main_Applicat
ions.gif" width"93" height"100"
alt"Applications" border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptReports()"gtltimg
src"https//website.com/TEST/Images/Main_Verifica
tion.gif" width"93" height"100"
alt"Verification" border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptReports()"gtltimg
src"https//website.com/TEST/Images/Main_Reports.
gif" width"93" height"100" alt"Reports"
border"0"gtlt/agtlt/tdgt
lt/trgt
lttrgt
lt!-- Only what they have access to... --gt
lttd valign"baseline" align"center"gt lta
href"JavaScriptSystemAdmin()"gtSystemAdminlt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptFileControl()"gtFile Controllt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptApplications()"gtApplicationslt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptVerification()"gtVerificationlt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptReports()"gtReportslt/agt lt/tdgt