More people than ever before have had access to the internet in the last ten years. Many businesses create web-based programs that people can utilize to communicate with them. Web servers, however, pose a vulnerability and can be exploited to get unauthorized access to the servers’ sensitive data due to faulty configuration and poorly designed software.
This article tries to give an overview of Web Servers. We will be covering some topics which include working on a server, top web servers in the industry, web server vulnerabilities, web server attacks, tools, and some countermeasures to protect against such attacks.
Among the biggest web server attacks was the breach of GitHub in 2018.
The most well-known online code management tool is GitHub, which is utilized by millions of developers. On February 28, 2018, the greatest DDoS attack in history hit it. The tremendous rush of traffic, which peaked at a record-breaking 1.3 terabits per second, was more than the platform could handle.
In this attack, there was no involvement of botnets, but instead, attackers used a method called mem caching; a caching system used to speed up websites and networks. The attackers could spoof GitHub’s IP address and then massively amplify the traffic levels directed at the platform.
Luckily, within 10 minutes of the attack, the company could contain and stop the attack from continuing as the company was using a DDoS Protection Service.
In this tutorial, we will introduce you to web server hacking techniques and how you can protect servers from such attacks.
What is a web server?
Web servers store web pages and all the information related to them, and this information can be accessed in different ways. Hackers are very interested in accessing various data, and web servers can be a precious source of miscellaneous details. It should be noted that this information has two parts: one is the software component, and the other is the hardware part. As a result, hackers attempt to attack web servers in order to acquire this information. Hackers frequently attack software in order to gain access to servers’ information. We shall focus more on this topic in the next section of this post.
How does a Web Server work?
A web server can be accessed through a website’s domain name. It ensures delivering the site’s content to the requesting user by using Hypertext Transfer Protocol (HTTP). A Web server can be considered to be hardware that is used to store or host the Web server’s software and files related to websites. A web server can therefore be used to denote either the hardware, the software, or both at once. It is utilized for many different things, including file transfers and email exchanges. The same file, or any other file, can be efficiently delivered to thousands of website visitors at once thanks to web servers’ immense capability.
Types of web servers:
All have a unique address, which contains four different numbers, that ultimately create this address.
There are different web servers, four of which are the most common ones, which will be mentioned below.
This is the commonly used web server on the internet. It is cross-platform but it’s usually installed on Linux. Most PHP websites are hosted on Apache servers.
– Internet Information Services:
Internet Information Services is one of the web servers with high performance, and due to its high compatibility with the operating system, it is effortless to manage.
This can run on Windows, Mac OS X, Linux, and Solaris operating systems and has many fans who prefer to use it.
– Sun Java System Web Server:
This is also available for free, and the point about it is that it is not an open-source one. This web server supports different languages and can be run on other operating systems.
– Jigsaw Server:
Jigsaw Web Server is written in Java and can run CGI scripts and PHP programs, and this resource is also free.
Web Server Security Issue
Web servers could be subject to the operating system and network-level attacks. Web server software and website-related information, such as photos, scripts, etc., are stored on hardware called web servers. Typically, an attacker will hunt down and exploit holes in the web server’s settings.
Some Vulnerabilities may include :
- Inappropriate permissions of the directory
- Lack of security
- Misconfigured SSL certificates
- Enables unnecessary services
- Default setup
Types of Attacks against Web Servers
Directory traversal attacks– This type of attack exploits bugs in the webserver to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.
- Denial of Service Attacks– With this type of attack, the web server may crash or become unavailable to legitimate users.
- Domain Name System Hijacking – With this type of attacker, the DNS setting is changed to point to the attacker’s web server. All traffic that was supposed to be sent to the web server is redirected to the wrong one.
- Sniffing– Unencrypted data sent over the network may be intercepted and used to gain unauthorized access to the web server.
- Phishing– With this type of attack, the attack impersonates the websites and directs traffic to the fake website. Unsuspecting users may be tricked into submitting sensitive data such as login details, credit card numbers, etc.
- Pharming– With this type of attack, the attacker compromises the Domain Name System (DNS) servers or on the user’s computer so that traffic is directed to a malicious site.
- Defacement– With this type of attack, the attacker replaces the organization’s website with a different page that contains the hacker’s name, and images and may include background music and messages.
Effects of successful attacks
- An organization’s reputation can be ruined if the attacker edits the website content and includes malicious information or links to a porn website
- The web server can be used to install malicious software on users who visit the compromised website. The malicious software downloaded onto the visitor’s computer can be a virus, Trojan or Botnet Software, etc.
- Compromised user data may be used for fraudulent activities which may lead to business loss or lawsuits from the users who entrusted their details with the organization
Web server attack tools
Some of the common web server attack tools include;
- Metasploit– this is an open-source tool for developing, testing and using exploit code. It can be used to discover vulnerabilities in web servers and write exploits that can be used to compromise the server.
- MPack– this is a web exploitation tool. It was written in PHP and is backed by MySQL as the database engine. Once a web server has been compromised using MPack, all traffic to it is redirected to malicious download websites.
- Zeus– this tool can be used to turn a compromised computer into a bot or zombie. A bot is a compromised computer that is used to perform internet-based attacks. A botnet is a collection of compromised computers. The botnet can then be used in a denial of service attack or sending spam emails.
- Neosplit – this tool can be used to install programs, delete programs, replicate them, etc.
- Information Gathering
Information Gathering is a process of gathering different information about the victim/target by using various platforms such as Social engineering, internet surfing, etc.
An attacker may employ a variety of techniques during the important phase of “footprinting” to learn as much as they can about the target. Before launching an assault, the attacker conducts this phase of reconnaissance using passive techniques to learn more about the victim. In order to avoid being discovered and warning the target of the attack, the attacker maintains little contact with the victim. Footprinting can swiftly identify and exploit the target system’s weaknesses. Information can be gathered using a variety of techniques, including Whois, Google searches, operating system detection, network enumeration, etc.
- Web Server Footprinting
In web server footprinting, information is gathered using some specific tools that are focused on web servers such as Maltego,httprecon, Nessus, etc. resulting in details like operating system, running services, type, applications, etc.
1. Vulnerability Scanning –
After completing footprinting, vulnerability scanning is the next step performed to accurately target the attack. A vulnerability scanner is a piece of software designed to find security holes in networks and systems. Port scanning, OS detection, network services, and other techniques are some of those utilized in vulnerability scanning. Nmap, Nikto, Nessus, and many others are common scanning tools.
Different Types of Vulnerability Scanning
Vulnerability Scanning is classified into two types: unauthenticated and authenticated scans.
- Authenticated Scan: In this, the tester logs in as a network user and finds the vulnerabilities that a regular user can encounter. He also checks all the possible attacks by which a hacker can take benefit.
- Unauthenticated Scan: In this, the tester performs all the scans that a hacker would likely do, avoiding direct access to the network. These points can reveal how to get access to a network without signing in.
2. Session Hijacking –
Session Hijacking/ cookie hijacking is an exploitation of the web session. In this attack, the attacker takes over the users’ sessions to gain unauthorized access to get information about its services. Session hijacking mostly applies to web applications and browser sessions.
To successfully hijack a session, the attacker has to know the Session-Id (session key). The session can be stolen to obtain it, or you can just click on some malicious links the attacker provides. Once the key is obtained, the attacker can hijack the session by using simply the session key, and the server will treat the attacker’s connection as the first session.
3. Password Attacks –
Password cracking is a method of extracting passwords to gain authorized access to the legitimate user’s target system. Password cracking can be performed using social engineering attacks, dictionary attacks, password guessing, or stealing the stored information that can help obtain passwords that give access to the system.
Password Attacks are classified as:
- Non-Electronic Attack
- Active Online Attack
- Passive Online Attack
- Default Passwords
- Offline Attack
Hacking Activity: Hack a WebServer
In this practical scenario, we are going to look at the anatomy of a web server attack. We will assume we are targeting www.techpanda.org. We are not actually going to hack into it as this is illegal. We will only use the domain for educational purposes.
What we will need
- A target www.techpanda.org
- Bing search engine
- SQL Injection Tools
- PHP Shell, we will use DK shell http://sourceforge.net/projects/icfdkshell/
We will need to get the IP address of our target and find other websites that share the same IP address.
We will use an online tool to find the target’s IP address and other websites sharing the IP address
- Enter the URL https://www.yougetsignal.com/tools/web-sites-on-web-server/ in your web browser
- Enter www.techpanda.org as the target
- Click on the Check button
- You will get the following results
Based on the above results, the IP address of the target is 188.8.131.52
We also found out that there are 403 domains on the same web server.
Our next step is to scan the other websites for SQL injection vulnerabilities. Note: if we can find a SQL vulnerable on the target, then we would directly exploit it without considering other websites.
- Enter the URL www.bing.com into your web browser. This will only work with Bing so don’t use other search engines such as google or yahoo
- Enter the following search query
- “ip:184.108.40.206” limits the search to all the websites hosted on the web server with IP address 220.127.116.11
- “.php?id=” search for URL GET variables used a parameters for SQL statements.
You will get the following results
As you can see from the above results, all the websites using GET variables as parameters for SQL injection have been listed.
The next logical step would be to scan the listed websites for SQL Injection vulnerabilities. You can do this using manual SQL injection or use tools listed in this article on SQL Injection.
Uploading the PHP Shell
We will not scan any of the websites listed as this is illegal. Let’s assume that we have managed to login into one of them. You will have to upload the PHP shell that you downloaded from http://sourceforge.net/projects/icfdkshell/
- Open the URL where you uploaded the dk.php file.
- You will get the following window
- Clicking the Symlink URL will give you access to the files in the target domain.
Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails, etc.
How to avoid attacks on the Web server
An organization can adopt the following policy to protect itself against web server attacks.
- Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in the software. The patches can be applied to the operating system and the web server system.
- Secure installation and configuration of the operating system
- Secure installation and configuration of the web server software
- Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE)
- Firewalls can be used to stop simple DoS attacks by blocking all traffic coming from the identified source IP addresses of the attacker.
- Antivirus software can be used to remove malicious software on the server
- Disabling Remote Administration
- Default accounts and unused accounts must be removed from the system
- Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port at 5069)
In this article, we learned about the working of the web server, security issues, and hacking methodologies with various examples. As an ethical hacker, it is important to know about the common web server attacks and understand the use of best practices and defensive measures to protect web servers against any attack.
- Termux Tutorial | Complete Termux Commands
- SQLmap Tutorial
- What is Hacking? Types of Hackers
- How To Play Games in Termux
- Ethical Hacking Roadmap – A Beginners Guide
- Best Termux Tools For Ethical Hacking in 2022
- Wireshark Tutorial
I hope you found what you were looking for from this tutorial, and if you want more tutorials like this, do join our Telegram channel for future updates.
Thanks for reading, have a nice day