website security assessmentwebsite security assessment

to properly assess the security of a website it is necessary to gather as much

information as possible about the system and it�s environment. firstly we'll set
out the steps involved in finding this information, an activity known as
�footprinting�.
footprinting
footprinting is the process of discovering information about the organisation
and the network where the web server is located. footprinting uses publicly
accessible information and utilities that would not alert a vigilant network
administrator. a suitable analogy would be a burglar viewing a house from the
road.
from the url supplied we started with the domain name: acme-widgets.co.uk. by
�pinging� the name www.acme-widgets.co.uk we get the ip address 10.0.0.21.
domain name services
dns is the process of translating the names of machines on the internet � such
as www.microsoft.com and smtp.isp.co.uk � to ip addresses. the purpose of dns
queries is to discover the machine names, and their associated ip addresses,
used by the target organisation.
dns queries can reveal information about the organisation such as internal
system names, ip addresses and types; contact details; and network topology.
publicly available dns should only list the minimum details of systems that are
publicly accessible.
a query for acme-widgets.co.uk using dns reveals the following:
servicenameip address
domain name serversns1.isp.net
ns2.isp.net172.16.32.35
172.16.32.37
mail exchange serversmail.acme-components.com14.168.200.25
other serverswww.acme-widgets.co.uk
dev.acme-widgets.co.uk10.0.0.21
192.168.200.5

the above information provides details of the isp and the email server that has
a domain name different from acme-widgets.co.uk and may be on a separate
network. also listed are the web server and another server named �dev� on a
separate network.
the mail server name and ip address indicates acme widgets ltd is part of a
group of companies and that another company within the group handles email. this
would represent another potential avenue of attack against acme.
subsequent work has shown that the server dev.acme-widgets.co.uk no longer
exists. however, the listed ip address is an internal address that should not be
accessible from the internet. records for internal servers should only be listed
on internal dns servers.
whois query
whois is a database system listing information about the registrant of a domain
name. information submitted should include only the minimum detail necessary.
the registrant information for acme-widgets.co.uk is:
acme widgets ltd
123 web way
aldermaston
rg12 3ab
berkshire
great britain (uk)
registered on 20th june 2000
registered by isp.net
this gives us the company name and address. it also confirms the isp acme use.
ripe query
ripe are an organisation that maintain the database of ip address allocations
for europe. a query will show the address space allocated to an organisation.
the information provided should be the minimum necessary. it is good practice to
use job titles, such as �hostmaster� instead of the names of individuals.
a ripe query for the ip address of www.acme-widgets.co.uk (10.0.0.21) shows that
it belongs to the block 10.0.0.0 � 10.0.0.255.
the person these were allocated to was:
dave mann
acme widgets ltd
99 acacia avenue
reading
rg3 4yz
berkshire
+44 118 111 9898
the above information gives us the range of ip addresses that acme will use for
systems accessible over the internet, acme�s previous address and a name � dave
mann � that could be used for social engineering attempts.
usenet search
usenet is a vast collection of newsgroups, each devoted to a particular subject.
text, similar to an email, is posted to one or more groups; replies are posted
under the same heading, forming a thread.
a search of usenet can reveal contact details � such as name, job title and
internal phone extensions � together with details of system environment through
questions regarding problems with applications, operating systems, etc.
posts to usenet should be done from a non-organisation related account and
should not reveal internal details.
a search of usenet for �acme-widgets.co.uk� found references to a request for
help in installing a software package to a windows nt server named acme1.
web meta search
the majority of web pages published on the internet are included in one or more
of the large search engines, such as yahoo, lycos and google. a meta search will
query the major search engines and extract information pertaining to the search
criteria entered.
most of the information has been gathered by �spiders� (also known as �crawlers�
or �bots�) � software that reads a web page, sends the information back to the
search engine database for indexing, and then follows all the links from that
page, reading each subsequent page as it goes.
an organisation�s personnel should never include their corporate smtp email
address within a web page or web submission.
a meta search for acme widgets failed to find any information beyond that stated
above.
ip scanning
having identified information about the acme network during the footprinting
stage, it is now necessary to delve a little deeper by probing the network
itself. using out burglar analogy of earlier we are now going to ring the
doorbell to see if anyone is in.
ping
with the ip address range identified by the ripe query above, it is now possible
to ascertain which ip addresses are allocated to systems accessible over the
internet.
ping is a utility to check network connectivity. it sends a request to an ip
address requiring a response. a ping scan was run against the ip address range.
the addresses that responded are shown in the following table:
addressname
10.0.0.2unknown
10.0.0.21www.acme-widgets.co.uk

the above information tells us that a possible two systems are accessible over
the internet and one has a registered dns name.
it is useful to note that no response to a ping scan does not mean nothing is
there. ping scans can be blocked by a firewall or other gateway device.
traceroute
having identified the web server the traceroute utility is used to determine the
path to the system. this utility traverses the internet to the target,
requesting each hop to report back to the source it�s ip address, name and the
time taken to reach it.
the traceroute report was as follows:

tracing route to www.acme-widgets.co.uk [192.168.0.80]

over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.10.166

2 10 ms 20 ms 10 ms 10.100.10.1
3 20 ms 30 ms 21 ms anchor-adsl.router.demon.net [212.240.162.126]
6 30 ms 20 ms 10 ms anchor-service-2-192.router.demon.net
[194.159.7.249]
7 20 ms 20 ms 20 ms anchor-border-1-e22.router.demon.net
[194.159.7.206]
8 20 ms 30 ms 30 ms linx-l0.ukcore.bt.net [195.66.224.10]
9 20 ms 20 ms 10 ms core1-pos14-0.ealing.ukcore.bt.net [194.74.65.114]
10 20 ms 20 ms 41 ms router2-fa1-0-0.isp.net [194.72.9.173]
11 50 ms 30 ms 20 ms tip001acme-router.isp.net [62.7.204.14]
12 30 ms 30 ms 20 ms 10.0.0.2
13 40 ms 30 ms 20 ms www.acme-widgets.co.uk [10.0.0.21]

trace complete.
the information returned shows the isp is isp.net and there is a system,
10.0.0.2, within the ip address range returned by the ripe query one hop before
the web server. as this system did not respond with a name it may be a firewall
or other gateway device.
port scan
internet communication is conducted by using ip addresses that uniquely identify
a system, and ports, used for applications to communicate.
a port scan identifies open ports on a system. the open ports will allow an
attacker to determine the applications running and even what operating system is
installed, thus �tuning� their attack for maximum effect.
a port scan was conducted against the web server ip address. the ports found
were:
portstateservice
80/tcpopenhttp
443/tcpopenhttps

port 80 is for http traffic to a web server, port 443 is for secure http
traffic. as it is extremely unlikely these are the only ports open on a system,
it would be correct to conclude � as intimated in the sections above � that the
web server is behind a firewall.
conclusion
publicly available information can be a rich source of data for an attacker.
information on acme is sparse but there is a member of acme�s personnel listed,
a ddi phone number, an internal server name and ip address, a firewall ip
address and the nt name of a server; this is information that could assist an
attacker.
website hacking
this exercise uses a number of methods that would be employed in a real attack.
firstly we'll take a look at acme's website. by connecting to the ip address
instead of the name and seeing what is returned we can see whether this is a
virtual web server. if it was a different page or no page at all would be
returned. as we can see, it is not a virtual server:

website environment
the port scan referred to above was configured to return information on
accessible services. for port 80 the banner returned stated the web server was
running microsoft�s web server software iis 4.0. version 4.0 is used primarily
on windows nt 4.0 systems.
website crawl
many websites contain information that is not shown in the browser window. the
entire website was downloaded so it could be searched offline. a search of the
content and a scan for hidden directories revealed the following:
personnel names john doe john smith dave mann
address123 web way, aldermaston, berkshire, rg12 3ab
phone numbers0118 999 1111
0118 999 1115 (ddi for dave mann)
0118 999 2222
email addressessales@acme-widgets.co.uk
webmaster@acme-widgets.co.uk
dave.mann@acme.co.uk
hidden webserver directories_themes
/blends/
_derived/
_private/

microsoft webserver vulnerability

microsoft�s webserver application in its default state is vulnerable to many
attacks. the first one attempted, known as the unicode exploit allows someone to
run commands on the web server via a web browser. the results were successful
and allowed us to list files and directories on the acme web server:

the directory listing shows a typical iis directory tree and confirms the hidden
directories discovered above, as well as several others.
by running this command through the web browser we can confirm that the iis_user
account (used to access the web server through a web browser) has executable
permissions in the �scripts� directory. from there, using the trivial file
transfer utility (tftp.exe) installed by default in windows nt 4.0 we were able
to upload a utility called �netcat.exe� to the web server. netcat can open a
connection out through a firewall to allow an attacker to open a command prompt
on the web server. we were able to do this.

we were able to issue commands to the web server in order to discover

information about acme�s network environment.
ip networking information
the ipconfig command shows details of the tcp/ip protocols bound to the network
interfaces:

the results returned show the web server is �multi-homed� � it has two network
connections, one on the internal and one on the external networks. this allows
us to use the web server as a stepping-stone into the internal network.
having already ascertained the name of an internal server (acme1) we are able to
ping the name to discover if it can be reached from the web server:

the arp command lists the ip addresses of systems that have recently
communicated with a system. having pinged acme1 it should show in the arp cache:

the results show the ip address of acme1 and the physical address. as this is
different from the physical address for the firewall (10.0.0.2), it indicates
access to acme1 is across the internal network.

netbios network information

the nbtstat command shows statistics and connections using netbios over tcp,
microsoft�s default networking protocol. an important feature of nbtstat is that
it can be run on one system and return results for another. running this command
against acme1 reveals the nt domain it is in:

the nt domain is not the same as the one for the web server. however, as this is
an internal server it is more likely to be in the corporate domain.
the net view command shows shared directories on microsoft servers. using it to
discover shares on acme1 returned the following:

attempting to access shares on acme1 is not successful; from this we can

conclude either the web server or the iis_user account is not trusted to access
this domain. therefore, we attempt to get an account on the acme-widgets domain.

enumerating nt account information

using the connection to the web server we use tftp to upload a utility called
�enum.exe�. this is used to query acme1 for a list of users:

gaining unrestricted access

using likely word combinations, within a few minutes it was possible to discover
the administrator account password and map a drive to the default system share
for the whole of the c:\ drive:

we could now browse all directories on the c:\ drive with full administrator
rights and copy files containing confidential information to the web server:

then, using tftp the files can be copied anywhere on the internet:

the documents retrieved were:

\\acme1\financial\2002 accounts - draft.doc
\\acme1\financial\q1-2003 forecast.doc
as can be imagined, use of these documents by competitors could seriously damage
acme's business.
conclusion
the web server was multi-homed with an interface on the internal network. a more
secure way would be to remove the internal network interface, split the web
server into a separate network, known as a dmz, with firewall rules that
restrict traffic out from the dmz and in from the dmz to the internal network.
the web server was a default installation of microsoft windows nt 4.0 with
service pack 6a and iis 4.0. acme1 was the pdc of the acme-widgets domain and
again was a default installation of microsoft windows nt 4.0 with service pack
6a. all hotfixes and patches released since sp 6a should be installed on all
acme windows nt servers.
unicode characters were accepted as valid input on the web server. the
permissions on directories outside the web document root should be amended to
exclude the iis_user account. both of these actions can be addressed by using
the microsoft iis lockdown and urlscan tools.
the password for the administrator account in the acme-widgets domain was easily
guessed.
as so many vulnerabilities were discovered, it is possible there may be others
that will not be revealed until those found have been addressed.
tools used
to complete this assessment the following tools were used.
third party tools
nmap
netcat
enum
solarwinds tftp server
teleport pro
microsoft utilities
tftp
nbtstat
ping
tracert
net
arp
ipconfig
for more on website security see insight consulting.