It's a real possibility that the web server is locked down and secured. Going after the web application will separate the script kiddie from the more advanced hacker. Web application hacking requires the attacker to uncover applications and understand their logic. The best way to start is by just clicking through the site and spending some time examining its look and feel. You might have already ripped the entire site and stored it locally, as discussed in the previous section. If so, now's the time to start some serious source sifting to see what you can find. Pay special attention to how input is passed, what types of error messages are returned, and the types of input that various fields will accept.
After you can start to identify the underlying applications, the search for vulnerabilities can begin. If the application is a commercial product, the attacker can check for known vulnerabilities or begin to probe the application. Most application vendors are proud of their products, so a quick check of their sites might list all their clients. For the attacker who successfully finds vulnerabilities, this means that there's a whole list of potential victims.
Hidden Fields
Hidden fields is a poor coding practice that has been known and publicized for some time, although it still continues. It's the practice of using hidden HTML fields as a sole mechanism for assigning a price or obscuring a value. This practice of security by obscurity can be easily overcome by just reviewing the code. The theory is that if end users cannot see it, it is safe from tampering. Many sites use these hidden value fields to store the price of the product that is passed to the web application. An example pulled from a website is shown here:
[View full width]
.pl?db=stuff.dat&category=&search=Mens-Rings&method=&begin=&display=&price=&merchant=">
Finding one of these sites is a script kiddies' dream, as all he must do is save the web page locally, modify the amount, and the new value will be passed to the web application. If no input validation is performed, the application will accept the new, manipulated value. These three simple steps are shown here:
1. |
Save the page locally and open the source code. |
2. |
Modify the amount and save the page. As an example, change $345.50 to $5.99: |
3. |
Refresh the local HTML page and then click Add to Cart. If successful, you'll be presented with a checkout page that reflects the new hacked value of $5.99. |
Some poorly written applications will even accept a negative value. Before you get too excited about this, remember that completing the order would be seen as theft and or fraud, depending on local laws. The real problem here is that an application should never rely on the web browser to set the price of an item. Even without changing the price, an attacker might just try to feed large amounts of data into the field to see how the application responds. Values from hidden fields, check boxes, select lists, and HTTP headers might be manipulated by malicious users and used to make web applications misbehave if the designer did not build in proper validation. If you think that there is a shortage of sites with these types of vulnerabilities, think again. A quick Google search for type=hidden name=price returns hundreds of hits.
Web-Based Authentication
Objective:
|
Authentication plays a critical role in the security of any website. There might be areas you want to restrict or content that is confidential or sensitive. There are many different ways to authenticate users. Authentication can include something you know, such as a username and a password; something you have, such as a token or smart card; or even something you are, such as fingerprints, retina scans, or voice recognition. The authentication types that will be discussed in this section include
Basic authentication is achieved through the process of exclusive ORing (XOR). Basic encryption starts to work when a user requests a protected resource. The Enter Network Password box pops up to prompt the user for a username and password. When the user enters his password, it is sent via HTTP back to the server. The data is encoded by the XOR binary operation. This function requires that when two bits are combined, the results will only be a 0 if both bits are the same. XOR functions by first converting all letters, symbols, and numbers to ASCII text. These are represented by their binary equivalent. The resulting XOR value is sent via HTTP. This is the encrypted text. As an example, if an attacker were to sniff a packet with basic authentication traffic, he would see the following:
Authorization: Basic gADzdBCPSEG1
It's a weak form of encryption, and many tools can be used to compromise it. Cain, which is reviewed in Chapter 7, "Sniffers, Session Hijacking, and Denial of Service," has a basic encryption cracking tool built in. Just Google for base64 decoder to find a multitude of programs that will encode or decode basic encryption.
Tip
Base encryption is one of the weakest forms of authentication. It is not much better than cleartext. Basic is a type of obsufication or security by obscurity.
Message digest authentication is a big improvement over basic. Message digest uses the MD5 hashing algorithm. Message digest is based on a challenge response protocol. It uses the user-name, the password, and a nonce value to create an encrypted value that is passed to the server. The nonce value makes it much more resistant to cracking and makes sniffing attacks useless. Message digest is described in RFC 2716. An offshoot of this authentication method is NTLM authentication.
Certificate-based authentication is the strongest form of authentication discussed so far. When users attempt to authenticate, they present the web server with their certificates. The certificate contains a public key and the signature of the Certificate authority. The web server must then verify the validity of the certificate's signature and then authenticate the user by using public key cryptography. Certificate-based authentication uses public key cryptography and is discussed at length in Chapter 12, "Cryptographic Attacks and Defenses".
Forms-based authentication is widely used on the Internet. It functions through the use of a cookie that is issued to a client. After being authenticated, the application generates a cookie or session variable. This stored cookie is then reused on subsequent visits. If this cookie is stolen or hijacked, the attacker can use it to spoof the victim at the targeted website.
Web-Based Password Cracking
An unlimited number of tools are available for the attacker to attempt to break into web-based applications. If the site does not employ a lockout policy, it is only a matter of time and bandwidth before the attacker can gain entry. Password cracking doesn't have to involve sophisticated tools; many times password guessing works well. It can be a tedious process, although human intuition can beat automated tools. The basic types of password attacks include
Tip
Understand the different types of password cracking.
Some of these password cracking tools are
With logging enabled, you should be able to detect such tools. Following are a few entries from the Winntsystem32LogfilesW3SVC1 folder. They should look familiar:
192.168.13.3 sa HEAD /test/basic - 401 Mozilla/4.0+(Compatible);Brutus/AET 192.168.13.3 administrator HEAD /test/basic - 401 Mozilla/4.0+(Compatible);Brutus/AET 192.168.13.3 admin HEAD /test/basic - 401 Mozilla/4.0+(Compatible);Brutus/AET
Finding log information that leads directly to an attacker is not always so easy. Sometimes attackers will practice URL obfuscation. This allows the attacker to attempt to hide his IP address. Attackers will also attempt to use cookies to further their hold on a system. You might be surprised to know how much information they maintain. Sometimes they are even used to store passwords. Cookies are our next topic.
Cookies
Cookies have a legitimate purpose. HTTP is a stateless protocol. For example, this presents real problems if you want to rent a car from rent-a-car.com and it asks for a location. To keep track of the location where you want to rent the car, the application must set a cookie. Information, such as location, time, and date of the rental, are packaged into a cookie and sent to your Web browser, which stores it for later use. A couple of tools that can be used to view cookies include
If the attacker can gain physical access to the victim's computer, these tools can be used to steal cookies or to view hidden passwords. You might think that passwords wouldn't be hidden in cookies, but that is not always the case. It's another example of security by obscurity. Cookies used with forms authentication or other remember me functionality might hold passwords or usernames. Here's an example:
Set-Cookie: UID= bWlrZTptaWtlc3Bhc3N3b3JkDQoNCg; expires=Fri, 06-Jan-2006
The UID value appears to contain random letters, but more than that is there. If you run it through a Base64 decoder, you end up with mike:mikespassword. It's never good practice to store usernames and passwords in a cookie, especially in an insecure state.
URL Obfuscation
It is possible to hide addresses in URLs so that they can bypass filters or other application defenses that have been put in place to block specific IP addresses. Although web browsers recognize URLs that contain hexadecimal or binary character representations, some web filtering applications don't. Here is an example of an encoded binary IP address: http://8812120797/. Does it look confusing? This decimal address can be converted into a human readable IP address. Convert the address into hexadecimal, divide it into four sets of two digits, and finally convert each set back into decimal to recover the IP address manually.
To convert an IP address to its binary equivalent, perform the following steps.
1. |
Convert each individual number in the IP address to its binary equivalent. Let's say that the address is 192.168.13.10. |
2. |
Combine the four eight digit numbers into one 32-digit binary number. The previous example produces 11000000101010000000110100001010. |
3. |
Convert the 32-bit number back to a decimal number. The example yields 3232238858. |
4. |
Entering this into the address field, http://3232238858, takes you to 192.168.12.10. |
Tip
You will need to understand URL obfuscation before attempting the CEH exam.
Cross-Site Scripting
Cross-site scripting (XSS) is a computer security exploit that occurs when a web application is used to gather data from a victim. Sending the victim an email with an embedded malicious link is the way to commit an attack. Victims who fall for the ruse and click on the link will have their credentials stolen. Sites running PHPnuke have been particularly hard hit by this attack. The steps required to complete this attack include
1. |
Find a vulnerable site that issues the needed cookies. |
2. |
Build the attack code and verify that it will function as expected. [View full width] <a href="http://example.com/comment.cgi? mycomment= |