Remote Server Management

Telnet

We still see Telnet used for remote management of web servers today. As if it needs repeating, Telnet is a cleartext protocol, and as such is vulnerable to eavesdropping attacks by network intermediaries (translation: someone can sniff your Telnet password in transit between you and the web server). And don't even bother bringing up that tired old argument about how difficult it might be to sniff passwords on the Internetit's not the Internet that's the problem, but rather the multitude of other networks that your Telnet traffic must traverse getting to the Internet (think about your corporate network, your ISP's network, and so on). Furthermore, why even take the risk when protocols like SSH are available and offer much better security?

If you're interested in seeing if your web servers are using Telnet, scan for TCP port 23 with any decent port scanner or just open a command prompt and attempt to open a Telnet connection to the web server.

SSH

Secure Shell (SSH) has been the mainstay of secure remote management for years (more secure than Telnet, at least). It uses encryption to protect authentication and subsequent data transfers, thus preventing the sort of easy eavesdropping attacks that Telnet falls prey to. Be aware that some severe vulnerabilities have been discovered in certain implementations of the SSH version 1 (SSH1) protocol, so just because it has "secure" in its name doesn't mean you have license to forget best practices like keeping abreast of recent security advisories and patches. We recommend using SSH2, at least.

Interestingly, SSH also supports file transfers via the Secure Copy (scp) utility, making it even more attractive for those who want to simultaneously manage web server content. We discuss scp again in the upcoming section on web content management.

Because of its common usage as a remote management tool, we always include SSH (TCP port 22) in our discovery and enumeration scans when performing web application audits . SSH is still vulnerable to password guessing attacks, and it never hurts to try some of the more obvious guesses when performing a web audit (root:[NULL], root:root, root:admin, admin:[NULL], and so on).

Proprietary Management Ports

A lot of web servers ship with their own proprietary web management interfaces available by default. These interfaces are typically another instance of an HTTP server providing access to HTML or script files used to configure the server. They are typically authenticated using HTTP Basic. Table 9-1 lists some of the more common ports used by popular web server vendors (we noted most of these in Chapter 2 but felt it important to reiterate them here).

As many of these ports are user -defined, they're not easily identified unless you're willing to perform full 65,535-port scans of some subset of your network. Many are also protected by authentication mechanisms, typically HTTP Basic or Forms-based login. The number of easily guessed passwords we've seen in our travels makes this a worthwhile area of investigation for web auditors , however.

Other Administration Services

Remote server administration is accomplished a number of ways, and the previous discussion certainly isn't meant to suggest that these are the only services used to manage web servers. We've seen a variety of remote control software used for this purpose, with AT&T Labs' VNC being the most popular in our experience (see the most recent edition of Hacking Exposed: Network Secrets & Solutions (McGraw-Hill/Osborne) for a comprehensive discussion of remote administration tools). VNC listens on TCP port 5800 by default. Another very popular remote management tool is Microsoft's Terminal Services, which listens on TCP 3389.

Other popular remote management protocols include the Simple Network Management Protocol (SNMP) on UDP 161, and the Lightweight Directory Access Protocol (LDAP) on TCP/UDP 389, which is sometimes used as an authentication server for web server users, including administrators.