The Attacker s Point of View
| | ||
| | ||
| | ||
The Attacker's Point of View
Look at the situation from the attacker's side.
The attacker has a certain goal. Suppose he or she has investigated the target site properly but failed to find any vulnerabilities. The only way to gain full or partial control over the target site is to attack another site on the same hosting server, gain control over that site, and try to access the target site.
| Note | The task of obtaining control over the target site is reduced to the task of finding a vulnerable site on the same hosting server and obtaining control over that site. |
Although the task of finding and exploiting vulnerabilities in a target site is well described in this book, the task of finding sites on the same server is a challenge.
Many methods for searching for sites on a hosting server are possible in each particular situation.
For example, the attacker can use the following sources of information about the addresses of sites:
-
The hosting site
-
The domain name system (DNS) reverse zone
-
Search systems
-
The netcraft database
-
The cache of a DNS server
Information from the Hosting Site
Sometimes, hosting providers place information about their clients on pages of their official sites. The attacker is likely to check the hosting provider's official site for the availability of the addresses of the clients ' Web sites.
If the hosting provider's official site is on the same physical server as the target site, the attacker can try to find vulnerabilities in it.
It is easy to find, on which hosting server a particular site is. For example, the attacker can use a whois database. Sending whois queries with the name and IP address of the site, the attacker can obtain information about the owner of the site and the hosting provider.
The IP address can be obtained with the nslookup utility.
Consider an example that returns information about the www.admin.ru site.
| Example |
|---|
-bash-2.05b$ whois admin.ru % By submitting a query to RIPN's Whois Service % you agree to abide by the following terms of use: % http://www.ripn.net/about/servpol.html#3.2 (in Russian) % http://www.ripn.net/about/en/serypol.html#3.2 (in English). domain: ADMIN.RU type: CORPORATE nserver: ns.masterhost.ru. nserver: nsl.masterhost.ru. nserver: ns2.masterhost.ru. State: REGISTERED, DELEGATED person: Alexey N Bykov phone: +7 095 0000000 e-mail: domain@mod.ru registrar: RUCENTER-REG-RIPN created: 2000.07.17 paid-till: 2005.07.17 source: TC-RIPN Last updated on 2004.12.22 14:51:42 MSK/MSD -bash-2.05b$ nslookup admin.ru Server: localhost Address: 127.0.0.1 Name: admin. ru Address: 217.16.20.40 -bash-2.05b$ whois 217.16.20.40 inetnum: 217.16.20.0 - 217.16.20.255 netname: MASTERHOST descr: Masterhost.ru is a hosting and technical support organization. country: RU admin-c: MHST-RIPE tech-c: MHST-RIPE status: ASSIGNED PA notify: noc@masterhost.ru mnt-by: MASTERHOST-MNT changed: caspy@masterhost.ru 20030508 source: RIPE route: 217.16.16.0/20 descr: . masterhost origin: AS25532 notify: noc@masterhost.ru mnt-routes: MASTERHOST-MNT mnt-by: MASTERHOST-MNT changed: caspy@masterhost.ru 20030414 changed: caspy@masterhost.ru 20040901 source: RIPE role: MASTERHOST NOC address: MasterHost CJSC. address: Arkhangelskiy per., 1, office 513 address: 101934 Moscow address: Russia phone: +7 095 7729720 fax-no: +7 095 7729723 e-mail: noc@masterhost.ru trouble: ---------------------------------------------------------- trouble: MASTERHOST is available 24 x 7 trouble: ---------------------------------------------------------- trouble: Points of contact for MASTERHOST Network Operations trouble: ---------------------------------------------------------- trouble: Routing and peering issues: noc@masterhost.ru trouble: SPAM and Network security issues: abuse@masterhost.ru trouble: Mail and News issues: postmaster@masterhost.ru trouble: Customer support: support@masterhost.ru trouble: General information: info@masterhost.ru trouble: ---------------------------------------------------------- admin-c: AAS-RIPE tech-c: AAS-RIPE tech-c: UNK-RIPE nic-hdl: MHST-RIPE notify: noc@masterhost.ru mnt-by: MASTERHOST-MNT changed: caspy@masterhost.ru 20021118 changed: caspy@masterhost.ru 20030831 source: RIPE |
The whois query would allow the attacker to suppose that the site is located on the masterhost server. The IP query confirmed this.
These simple actions would allow the attacker to find out that the target site is located on masterhost.ru .
The DNS Reverse Zone
Consider an example that returns information about the hosting server and (in some cases) about other sites on the host.
| Example |
|---|
-bash-2.05b$ nslookup www.pautinka.ru Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: pautinka.ru Address: 217.106.232.17 Aliases: www.pautinka.ru -bash-2.05b$ nslookup 217.106.232.17 Server: localhost Address: 127.0.0.1 Name: asp.z8.ru Address: 217.106.232.17 -bash-2.05b$ |
Thus, the attacker would obtain the URL of another site on the same physical server.
Information from Search Systems
Sometimes, a search for sites with the same IP address (located on the same physical server) can return interesting results.
For example, the attacker can search by the following:
-
The IP address of the target site
-
The name and address of the target site's provider
-
The name and address of the target site
The probability of obtaining the needed information is small, but there is a chance.
Information from the netcraft Database
The netcraft.com database stores statistics about various sites that can be interesting for the attacker. In particular, an attacker can learn from the netcraft database which IP network contains the IP address of the provider. Then he or she can obtain the addresses of all sites belonging to this network.
If a few servers have identical or similar features, the attacker can guess, which IP addresses are aliases of the main IP address of one server.
For example, send the following request:
http://uptime.netcraft.com/up/graph/?host=www.mail.ru
This will reveal the IP network that contains the IP address of www.mail.ru. This is MAILRU-NET2,194.67.57.0,194.67.57.255.
The next request, http://uptime.netcraft.com/up/hosted?netname=MAILRU-NET.2,194.67.57.0,194.67.57.255, will return a list of sites known to net-craft that have the IP addresses from the same network.
The Cache of a DNS Server
If the attacker can access the cache of a large DNS server, he or she can try to obtain a list of sites that have the same IP address as the target site.
If the attacker can read the configuration file of the HTTP server on the server that hosts the target site, he or she can obtain a fairly precise list of sites located on the same server. However, I'm describing a situation, in which the attacker cannot access the server's internals.
If the attacker fails to find a site located on the same server as the target site, or if he or she fails to find vulnerabilities on the found sites and cannot obtain privileges on the target server, he or she can take another step. The attacker can create his or her site in the same hosting company as the target site. Depending on the hosting company, it is likely that the attacker's site will be located on the same physical server as the target site.
Therefore, the attacker will be able to take all of the steps described earlier to obtain control over the target server.
In this case, the cost of breakage for the attacker will be equal to the rental cost of disk space (possibly, support for PHP or Perl scripts and a database will be required).
| | ||
| | ||
| | ||
