Module 4 - Website Attacks

Question 1

What makes websites vulnerable

Answer 1

• designed for public access
• inbound requests (80 and 443) expected. Firewalls allow requests
• intrusions may give access to corporate lan or internet
  (potential for misconfiguration)

Question 2

Website vulnerable for following reasons

Answer 2

• misconfigurations (directory browsing, enumeration of parent paths, enabling writes)
• elevated permissions of service account
• unnecessary services running on web server, such as FTP or SMTP
• unnecessary components, such as ASP, .NET, cgi
• 3rd party content mgmt servers with own set of vulns

Question 3

Intrusion Techniques (outcomes) (4)

Answer 3

• Executable code (upload) and visit - server executes
• modify site’s content (deface or subtle to affect result)
• directory browsing and traversals (better foothold)
• view parent paths

Question 4

Website Misconfigurations

Answer 4

• unused open ports - may create entry points
• incorrect read/write access - attacker could utilize
• hosting service or account may have escalated privileges
• web site’s content hosted on same drive as OS
• file listing, directory reads, enumeration
• unused services (SMTP, FTP, ASP, scripting) WebDAV, CGI, ASP
• error messages (attackers may utilize)
• IIS - some allow for navigating
• FTP site may be same as web site
• IIS account may have elevated permissions (web service account)

Question 5

Web Server Logs (4)

Answer 5

• server log
• web site log
• firewall
• IDS
• servers without detailed logging make investigation difficult.

Question 6

Artifacts to look at re Web servers (3)

Answer 6

• Logs (4 places)

- website content (possible for malicious content)

Question 7

IIS Log File Contents

Answer 7

• Client IP address
• User name
• Date
• Time
• Service and instance
• Server name
• Server IP
• Time taken
• Client bytes sent
• Server bytes sent
• Service status code
• Windows status code
• Request type
• Target of operation
• Parameters

Question 8

Apache Log File

Answer 8

• similar to IIS, different format

- ideal for grep

Question 9

3rd Party Tools examples

Answer 9

• have their own vulnerabilities
• Content management systems
• Joomla
• vBulletin
• Wikis

Question 10

Log Location for IIS

Answer 10

C:\Windows\System32\LogFiles

• \W3SVC1 (website logs)
• \MSFTPSVC1 (FTP logs)

%SystemDrive%\Inetpub\Logs\Logfiles

Question 11

Microsoft FTP Status Codes:
200
226
250
331
332
421

Answer 11

200 - Command OK
226 - closing data connection (success)
250 - file action okay, completed
331 - user name ok, need pass
332 - need account for login
421 - connection closed, service not available

Question 12

Microsoft IIS Status Codes:
200
201
401.1
401.3
403.1
403.2
403.3
403.14

Answer 12

200 - OK. The client request has succeeded.
201 - Created.
401.1 - Logon failed.
401.3 - Unauthorized due to ACL on resource.
403.1 - Execute access forbidden.
403.2 - Read access forbidden.
403.3 - Write access forbidden.
403.14 - Directory listing denied.

Question 13

Web site intrusion Tactics

Answer 13

• uploaded executable code to web site and then viewing code through browser. - runs with privileges of service account.
• modifying site contents
• directory browsing and traversals
• viewing parent paths