Windows 95
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Windows 95 as PDF for free.
More details
- Words: 2,375
- Pages: 6
website security assessmentwebsite security assessment to properly assess the security of a website it is necessary to gather as much information as possible about the system and it�s environment. firstly we'll set out the steps involved in finding this information, an activity known as �footprinting�. footprinting footprinting is the process of discovering information about the organisation and the network where the web server is located. footprinting uses publicly accessible information and utilities that would not alert a vigilant network administrator. a suitable analogy would be a burglar viewing a house from the road. from the url supplied we started with the domain name: acme-widgets.co.uk. by �pinging� the name www.acme-widgets.co.uk we get the ip address 10.0.0.21. domain name services dns is the process of translating the names of machines on the internet � such as www.microsoft.com and smtp.isp.co.uk � to ip addresses. the purpose of dns queries is to discover the machine names, and their associated ip addresses, used by the target organisation. dns queries can reveal information about the organisation such as internal system names, ip addresses and types; contact details; and network topology. publicly available dns should only list the minimum details of systems that are publicly accessible. a query for acme-widgets.co.uk using dns reveals the following: servicenameip address domain name serversns1.isp.net ns2.isp.net172.16.32.35 172.16.32.37 mail exchange serversmail.acme-components.com14.168.200.25 other serverswww.acme-widgets.co.uk dev.acme-widgets.co.uk10.0.0.21 192.168.200.5 the above information provides details of the isp and the email server that has a domain name different from acme-widgets.co.uk and may be on a separate network. also listed are the web server and another server named �dev� on a separate network. the mail server name and ip address indicates acme widgets ltd is part of a group of companies and that another company within the group handles email. this would represent another potential avenue of attack against acme. subsequent work has shown that the server dev.acme-widgets.co.uk no longer exists. however, the listed ip address is an internal address that should not be accessible from the internet. records for internal servers should only be listed on internal dns servers. whois query whois is a database system listing information about the registrant of a domain name. information submitted should include only the minimum detail necessary. the registrant information for acme-widgets.co.uk is: acme widgets ltd 123 web way aldermaston rg12 3ab berkshire great britain (uk) registered on 20th june 2000 registered by isp.net this gives us the company name and address. it also confirms the isp acme use. ripe query ripe are an organisation that maintain the database of ip address allocations
for europe. a query will show the address space allocated to an organisation. the information provided should be the minimum necessary. it is good practice to use job titles, such as �hostmaster� instead of the names of individuals. a ripe query for the ip address of www.acme-widgets.co.uk (10.0.0.21) shows that it belongs to the block 10.0.0.0 � 10.0.0.255. the person these were allocated to was: dave mann acme widgets ltd 99 acacia avenue reading rg3 4yz berkshire +44 118 111 9898 the above information gives us the range of ip addresses that acme will use for systems accessible over the internet, acme�s previous address and a name � dave mann � that could be used for social engineering attempts. usenet search usenet is a vast collection of newsgroups, each devoted to a particular subject. text, similar to an email, is posted to one or more groups; replies are posted under the same heading, forming a thread. a search of usenet can reveal contact details � such as name, job title and internal phone extensions � together with details of system environment through questions regarding problems with applications, operating systems, etc. posts to usenet should be done from a non-organisation related account and should not reveal internal details. a search of usenet for �acme-widgets.co.uk� found references to a request for help in installing a software package to a windows nt server named acme1. web meta search the majority of web pages published on the internet are included in one or more of the large search engines, such as yahoo, lycos and google. a meta search will query the major search engines and extract information pertaining to the search criteria entered. most of the information has been gathered by �spiders� (also known as �crawlers� or �bots�) � software that reads a web page, sends the information back to the search engine database for indexing, and then follows all the links from that page, reading each subsequent page as it goes. an organisation�s personnel should never include their corporate smtp email address within a web page or web submission. a meta search for acme widgets failed to find any information beyond that stated above. ip scanning having identified information about the acme network during the footprinting stage, it is now necessary to delve a little deeper by probing the network itself. using out burglar analogy of earlier we are now going to ring the doorbell to see if anyone is in. ping with the ip address range identified by the ripe query above, it is now possible to ascertain which ip addresses are allocated to systems accessible over the internet. ping is a utility to check network connectivity. it sends a request to an ip address requiring a response. a ping scan was run against the ip address range. the addresses that responded are shown in the following table: addressname 10.0.0.2unknown 10.0.0.21www.acme-widgets.co.uk the above information tells us that a possible two systems are accessible over the internet and one has a registered dns name.
it is useful to note that no response to a ping scan does not mean nothing is there. ping scans can be blocked by a firewall or other gateway device. traceroute having identified the web server the traceroute utility is used to determine the path to the system. this utility traverses the internet to the target, requesting each hop to report back to the source it�s ip address, name and the time taken to reach it. the traceroute report was as follows: tracing route to www.acme-widgets.co.uk [192.168.0.80] over a maximum of 30 hops: 1 <10 ms <10 2 10 ms 20 3 20 ms 30 6 30 ms 20 [194.159.7.249] 7 20 ms 20 [194.159.7.206] 8 20 ms 30 9 20 ms 20 10 20 ms 20 11 50 ms 30 12 30 ms 30 13 40 ms 30
ms ms ms ms
<10 10 21 10
ms ms ms ms
10.100.10.166 10.100.10.1 anchor-adsl.router.demon.net [212.240.162.126] anchor-service-2-192.router.demon.net
ms
20 ms
anchor-border-1-e22.router.demon.net
ms ms ms ms ms ms
30 10 41 20 20 20
linx-l0.ukcore.bt.net [195.66.224.10] core1-pos14-0.ealing.ukcore.bt.net [194.74.65.114] router2-fa1-0-0.isp.net [194.72.9.173] tip001acme-router.isp.net [62.7.204.14] 10.0.0.2 www.acme-widgets.co.uk [10.0.0.21]
ms ms ms ms ms ms
trace complete. the information returned shows the isp is isp.net and there is a system, 10.0.0.2, within the ip address range returned by the ripe query one hop before the web server. as this system did not respond with a name it may be a firewall or other gateway device. port scan internet communication is conducted by using ip addresses that uniquely identify a system, and ports, used for applications to communicate. a port scan identifies open ports on a system. the open ports will allow an attacker to determine the applications running and even what operating system is installed, thus �tuning� their attack for maximum effect. a port scan was conducted against the web server ip address. the ports found were: portstateservice 80/tcpopenhttp 443/tcpopenhttps port 80 is for http traffic to a web server, port 443 is for secure http traffic. as it is extremely unlikely these are the only ports open on a system, it would be correct to conclude � as intimated in the sections above � that the web server is behind a firewall. conclusion publicly available information can be a rich source of data for an attacker. information on acme is sparse but there is a member of acme�s personnel listed, a ddi phone number, an internal server name and ip address, a firewall ip address and the nt name of a server; this is information that could assist an attacker. website hacking this exercise uses a number of methods that would be employed in a real attack. firstly we'll take a look at acme's website. by connecting to the ip address instead of the name and seeing what is returned we can see whether this is a virtual web server. if it was a different page or no page at all would be
returned. as we can see, it is not a virtual server: website environment the port scan referred to above was configured to return information on accessible services. for port 80 the banner returned stated the web server was running microsoft�s web server software iis 4.0. version 4.0 is used primarily on windows nt 4.0 systems. website crawl many websites contain information that is not shown in the browser window. the entire website was downloaded so it could be searched offline. a search of the content and a scan for hidden directories revealed the following: personnel names john doe john smith dave mann address123 web way, aldermaston, berkshire, rg12 3ab phone numbers0118 999 1111 0118 999 1115 (ddi for dave mann) 0118 999 2222 email [email protected] [email protected] [email protected] hidden webserver directories_themes /blends/ _derived/ _private/ microsoft webserver vulnerability microsoft�s webserver application in its default state is vulnerable to many attacks. the first one attempted, known as the unicode exploit allows someone to run commands on the web server via a web browser. the results were successful and allowed us to list files and directories on the acme web server: the directory listing shows a typical iis directory tree and confirms the hidden directories discovered above, as well as several others. by running this command through the web browser we can confirm that the iis_user account (used to access the web server through a web browser) has executable permissions in the �scripts� directory. from there, using the trivial file transfer utility (tftp.exe) installed by default in windows nt 4.0 we were able to upload a utility called �netcat.exe� to the web server. netcat can open a connection out through a firewall to allow an attacker to open a command prompt on the web server. we were able to do this. we were able to issue commands to the web server in order to discover information about acme�s network environment. ip networking information the ipconfig command shows details of the tcp/ip protocols bound to the network interfaces: the results returned show the web server is �multi-homed� � it has two network connections, one on the internal and one on the external networks. this allows us to use the web server as a stepping-stone into the internal network. having already ascertained the name of an internal server (acme1) we are able to ping the name to discover if it can be reached from the web server: the arp command lists the ip addresses of systems that have recently communicated with a system. having pinged acme1 it should show in the arp cache: the results show the ip address of acme1 and the physical address. as this is different from the physical address for the firewall (10.0.0.2), it indicates
access to acme1 is across the internal network. netbios network information the nbtstat command shows statistics and connections using netbios over tcp, microsoft�s default networking protocol. an important feature of nbtstat is that it can be run on one system and return results for another. running this command against acme1 reveals the nt domain it is in: the nt domain is not the same as the one for the web server. however, as this is an internal server it is more likely to be in the corporate domain. the net view command shows shared directories on microsoft servers. using it to discover shares on acme1 returned the following: attempting to access shares on acme1 is not successful; from this we can conclude either the web server or the iis_user account is not trusted to access this domain. therefore, we attempt to get an account on the acme-widgets domain. enumerating nt account information using the connection to the web server we use tftp to upload a utility called �enum.exe�. this is used to query acme1 for a list of users: gaining unrestricted access using likely word combinations, within a few minutes it was possible to discover the administrator account password and map a drive to the default system share for the whole of the c:\ drive: we could now browse all directories on the c:\ drive with full administrator rights and copy files containing confidential information to the web server: then, using tftp the files can be copied anywhere on the internet: the documents retrieved were: \\acme1\financial\2002 accounts - draft.doc \\acme1\financial\q1-2003 forecast.doc as can be imagined, use of these documents by competitors could seriously damage acme's business. conclusion the web server was multi-homed with an interface on the internal network. a more secure way would be to remove the internal network interface, split the web server into a separate network, known as a dmz, with firewall rules that restrict traffic out from the dmz and in from the dmz to the internal network. the web server was a default installation of microsoft windows nt 4.0 with service pack 6a and iis 4.0. acme1 was the pdc of the acme-widgets domain and again was a default installation of microsoft windows nt 4.0 with service pack 6a. all hotfixes and patches released since sp 6a should be installed on all acme windows nt servers. unicode characters were accepted as valid input on the web server. the permissions on directories outside the web document root should be amended to exclude the iis_user account. both of these actions can be addressed by using the microsoft iis lockdown and urlscan tools. the password for the administrator account in the acme-widgets domain was easily guessed. as so many vulnerabilities were discovered, it is possible there may be others that will not be revealed until those found have been addressed. tools used to complete this assessment the following tools were used. third party tools
nmap netcat enum solarwinds tftp server teleport pro microsoft utilities tftp nbtstat ping tracert net arp ipconfig for more on website security see insight consulting.
for europe. a query will show the address space allocated to an organisation. the information provided should be the minimum necessary. it is good practice to use job titles, such as �hostmaster� instead of the names of individuals. a ripe query for the ip address of www.acme-widgets.co.uk (10.0.0.21) shows that it belongs to the block 10.0.0.0 � 10.0.0.255. the person these were allocated to was: dave mann acme widgets ltd 99 acacia avenue reading rg3 4yz berkshire +44 118 111 9898 the above information gives us the range of ip addresses that acme will use for systems accessible over the internet, acme�s previous address and a name � dave mann � that could be used for social engineering attempts. usenet search usenet is a vast collection of newsgroups, each devoted to a particular subject. text, similar to an email, is posted to one or more groups; replies are posted under the same heading, forming a thread. a search of usenet can reveal contact details � such as name, job title and internal phone extensions � together with details of system environment through questions regarding problems with applications, operating systems, etc. posts to usenet should be done from a non-organisation related account and should not reveal internal details. a search of usenet for �acme-widgets.co.uk� found references to a request for help in installing a software package to a windows nt server named acme1. web meta search the majority of web pages published on the internet are included in one or more of the large search engines, such as yahoo, lycos and google. a meta search will query the major search engines and extract information pertaining to the search criteria entered. most of the information has been gathered by �spiders� (also known as �crawlers� or �bots�) � software that reads a web page, sends the information back to the search engine database for indexing, and then follows all the links from that page, reading each subsequent page as it goes. an organisation�s personnel should never include their corporate smtp email address within a web page or web submission. a meta search for acme widgets failed to find any information beyond that stated above. ip scanning having identified information about the acme network during the footprinting stage, it is now necessary to delve a little deeper by probing the network itself. using out burglar analogy of earlier we are now going to ring the doorbell to see if anyone is in. ping with the ip address range identified by the ripe query above, it is now possible to ascertain which ip addresses are allocated to systems accessible over the internet. ping is a utility to check network connectivity. it sends a request to an ip address requiring a response. a ping scan was run against the ip address range. the addresses that responded are shown in the following table: addressname 10.0.0.2unknown 10.0.0.21www.acme-widgets.co.uk the above information tells us that a possible two systems are accessible over the internet and one has a registered dns name.
it is useful to note that no response to a ping scan does not mean nothing is there. ping scans can be blocked by a firewall or other gateway device. traceroute having identified the web server the traceroute utility is used to determine the path to the system. this utility traverses the internet to the target, requesting each hop to report back to the source it�s ip address, name and the time taken to reach it. the traceroute report was as follows: tracing route to www.acme-widgets.co.uk [192.168.0.80] over a maximum of 30 hops: 1 <10 ms <10 2 10 ms 20 3 20 ms 30 6 30 ms 20 [194.159.7.249] 7 20 ms 20 [194.159.7.206] 8 20 ms 30 9 20 ms 20 10 20 ms 20 11 50 ms 30 12 30 ms 30 13 40 ms 30
ms ms ms ms
<10 10 21 10
ms ms ms ms
10.100.10.166 10.100.10.1 anchor-adsl.router.demon.net [212.240.162.126] anchor-service-2-192.router.demon.net
ms
20 ms
anchor-border-1-e22.router.demon.net
ms ms ms ms ms ms
30 10 41 20 20 20
linx-l0.ukcore.bt.net [195.66.224.10] core1-pos14-0.ealing.ukcore.bt.net [194.74.65.114] router2-fa1-0-0.isp.net [194.72.9.173] tip001acme-router.isp.net [62.7.204.14] 10.0.0.2 www.acme-widgets.co.uk [10.0.0.21]
ms ms ms ms ms ms
trace complete. the information returned shows the isp is isp.net and there is a system, 10.0.0.2, within the ip address range returned by the ripe query one hop before the web server. as this system did not respond with a name it may be a firewall or other gateway device. port scan internet communication is conducted by using ip addresses that uniquely identify a system, and ports, used for applications to communicate. a port scan identifies open ports on a system. the open ports will allow an attacker to determine the applications running and even what operating system is installed, thus �tuning� their attack for maximum effect. a port scan was conducted against the web server ip address. the ports found were: portstateservice 80/tcpopenhttp 443/tcpopenhttps port 80 is for http traffic to a web server, port 443 is for secure http traffic. as it is extremely unlikely these are the only ports open on a system, it would be correct to conclude � as intimated in the sections above � that the web server is behind a firewall. conclusion publicly available information can be a rich source of data for an attacker. information on acme is sparse but there is a member of acme�s personnel listed, a ddi phone number, an internal server name and ip address, a firewall ip address and the nt name of a server; this is information that could assist an attacker. website hacking this exercise uses a number of methods that would be employed in a real attack. firstly we'll take a look at acme's website. by connecting to the ip address instead of the name and seeing what is returned we can see whether this is a virtual web server. if it was a different page or no page at all would be
returned. as we can see, it is not a virtual server: website environment the port scan referred to above was configured to return information on accessible services. for port 80 the banner returned stated the web server was running microsoft�s web server software iis 4.0. version 4.0 is used primarily on windows nt 4.0 systems. website crawl many websites contain information that is not shown in the browser window. the entire website was downloaded so it could be searched offline. a search of the content and a scan for hidden directories revealed the following: personnel names john doe john smith dave mann address123 web way, aldermaston, berkshire, rg12 3ab phone numbers0118 999 1111 0118 999 1115 (ddi for dave mann) 0118 999 2222 email [email protected] [email protected] [email protected] hidden webserver directories_themes /blends/ _derived/ _private/ microsoft webserver vulnerability microsoft�s webserver application in its default state is vulnerable to many attacks. the first one attempted, known as the unicode exploit allows someone to run commands on the web server via a web browser. the results were successful and allowed us to list files and directories on the acme web server: the directory listing shows a typical iis directory tree and confirms the hidden directories discovered above, as well as several others. by running this command through the web browser we can confirm that the iis_user account (used to access the web server through a web browser) has executable permissions in the �scripts� directory. from there, using the trivial file transfer utility (tftp.exe) installed by default in windows nt 4.0 we were able to upload a utility called �netcat.exe� to the web server. netcat can open a connection out through a firewall to allow an attacker to open a command prompt on the web server. we were able to do this. we were able to issue commands to the web server in order to discover information about acme�s network environment. ip networking information the ipconfig command shows details of the tcp/ip protocols bound to the network interfaces: the results returned show the web server is �multi-homed� � it has two network connections, one on the internal and one on the external networks. this allows us to use the web server as a stepping-stone into the internal network. having already ascertained the name of an internal server (acme1) we are able to ping the name to discover if it can be reached from the web server: the arp command lists the ip addresses of systems that have recently communicated with a system. having pinged acme1 it should show in the arp cache: the results show the ip address of acme1 and the physical address. as this is different from the physical address for the firewall (10.0.0.2), it indicates
access to acme1 is across the internal network. netbios network information the nbtstat command shows statistics and connections using netbios over tcp, microsoft�s default networking protocol. an important feature of nbtstat is that it can be run on one system and return results for another. running this command against acme1 reveals the nt domain it is in: the nt domain is not the same as the one for the web server. however, as this is an internal server it is more likely to be in the corporate domain. the net view command shows shared directories on microsoft servers. using it to discover shares on acme1 returned the following: attempting to access shares on acme1 is not successful; from this we can conclude either the web server or the iis_user account is not trusted to access this domain. therefore, we attempt to get an account on the acme-widgets domain. enumerating nt account information using the connection to the web server we use tftp to upload a utility called �enum.exe�. this is used to query acme1 for a list of users: gaining unrestricted access using likely word combinations, within a few minutes it was possible to discover the administrator account password and map a drive to the default system share for the whole of the c:\ drive: we could now browse all directories on the c:\ drive with full administrator rights and copy files containing confidential information to the web server: then, using tftp the files can be copied anywhere on the internet: the documents retrieved were: \\acme1\financial\2002 accounts - draft.doc \\acme1\financial\q1-2003 forecast.doc as can be imagined, use of these documents by competitors could seriously damage acme's business. conclusion the web server was multi-homed with an interface on the internal network. a more secure way would be to remove the internal network interface, split the web server into a separate network, known as a dmz, with firewall rules that restrict traffic out from the dmz and in from the dmz to the internal network. the web server was a default installation of microsoft windows nt 4.0 with service pack 6a and iis 4.0. acme1 was the pdc of the acme-widgets domain and again was a default installation of microsoft windows nt 4.0 with service pack 6a. all hotfixes and patches released since sp 6a should be installed on all acme windows nt servers. unicode characters were accepted as valid input on the web server. the permissions on directories outside the web document root should be amended to exclude the iis_user account. both of these actions can be addressed by using the microsoft iis lockdown and urlscan tools. the password for the administrator account in the acme-widgets domain was easily guessed. as so many vulnerabilities were discovered, it is possible there may be others that will not be revealed until those found have been addressed. tools used to complete this assessment the following tools were used. third party tools
nmap netcat enum solarwinds tftp server teleport pro microsoft utilities tftp nbtstat ping tracert net arp ipconfig for more on website security see insight consulting.
Related Documents
Windows 95
October 2019 18
Windows 95
October 2019 7
Windows 95 Y 98
April 2020 9
Macintosh Vs. Windows 95
April 2020 7
Introduce Re In Windows 95
November 2019 13