September 24, 2020

GHR 111 – Web Server Hacking

Objectives:

There has never been a more target rich environment in the history of warfare.  A cyber war has been brewing for years now and web servers are being constantly attacked, whether their admins are aware of it or not.

  • Topic 111.01 – Recon
  • Topic 111.02 – Ciphers

Topic 111.01 – Recon

  • RULE : Before attacking the web server, you need to identify what type of web server it is (e.g. IIS, Apache, NGINX).
  • RULE : Before attacking the web server, you need to know what the web applications are running (e.g. Tomcat, Ruby on Rails, ASP.Net).
    • RED TEAM : A lot of information about the web server(s) can be gathered from netcraft.com, type the target url into the “What’s that site running” box.
  • RULE : Banner grabbing can help you identify the web server.
    • RED TEAM : use telnet to view the <head> section:
      • Type telnet darkblueteam.com 80
      • Type GET HEAD / 1.0
      • Press the RETURN key twice
    • RED TEAM : use curl to view the <head> section, curl darkblueteam.com
  • RULE : Site Ripping is the fast way to crawl a website.
    • RED TEAM : On linux, use wget.
    • RED TEAM : On Windows, use wgetBlackWidow, Teleport Pro, etc.
  • RULE : After you identify what the web server is, check the known vulnerabilities for that particular flavor of web server.  There are websites that track vulnerabilities:
  • RULE : System Administrators that don’t keep up with the patches for the web server, or have just assumed the risk for it, are leaving the door open for the attacker to exploit it.

Topic 111.02 – Ciphers

  • RULE : Check to see if any weak ciphers are enabled on the server.
    • RED TEAM : openssl s_client -connect darkblueteam.com:443 -ssl2