ECE 4112 Internetwork SecurityLab 11: Web SecurityGroup Number: _______________Member Names: _________________________ _________________________Date Assigned: November 15, 2005Date Due: November 22, 2005Last Edited: November 9, 2005Please read the entire lab and any extra materials carefully before starting. Be sure tostart early enough so that you will have time to complete the lab. Answer ALL questionsand be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFOREthe Date Due. Goal: The goal of this lab is to examine various tools and techniques that can be usedto exploit weakness in web servers.Summary: This lab will introduce tools that can be used to see vulnerabilities onan apache web server and to gain access to private pages.Background and Theory: Web server hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself (or one of itsadd-on components). These vulnerabilities are typically publicized and are easy to detect and attack. An attacker with the right set of tools and ready-made exploits can bring downa vulnerable web server in minutes. For this reason, it is crucial for web administrators to always patch their web server and related software.Prelab Questions: None.Lab Scenario: For this lab we will be accessing an Apache web server on the Mininet whose ip address is 57.35.6.2. This is a RedHat7.2 Machine running Apache. This emulates a web server without proper security update that you might find on the web.1Copy the files from the Lab11 Folder on the NAS to the various machines:On the WS 4.0 host machine:# mkdir /root/lab11# cp -rf /mnt/nas4112/Lab11/WS4/* /root/lab11On the Windows XP virtual machine:Create a folder called “lab11” on the desktop.Copy the contents of the Windows directory of Lab11 on the NAS, to this folder.Section 1: Web Security UtilitiesSome of the following utilities will need SSL support so first and foremost, install OpenSSL on the WS 4 host:# cd /root/lab11# tar xvfz openssl-0.9.6j.tar.gz# cd openssl-0.9.6j# ./config -shared --prefix=/usr/local/ssl -fPIC# make# make test# make installNow the utilities we install can use the SSL libraries.WGETWhen targeting a web server, a serious hacker would study its content thoroughly. This might involve downloading its entire content for offline examining at his leisure. Doing this manually would be very tedious and tiresome, so luckily there are some useful tools readily available that would automate this process. WGET is a free software package for retrieving files using HTTP, HTTPS, and FTP. It can be downloaded from http://www.gnu.org/software/wget/wget.html. To install wget: On the WS 4.0 physical machine, change to the utilities folder:# cd /root/lab11/utilitiesNow build wget:# tar xvfz wget-1.9.1.tar.gz# cd wget-1.9.1# ./configure –prefix=/usr/local/wget --with-ssl2# make# make installTo use wget to download a complete website, do the following:# mkdir /root/lab11/downloaded# wget -P /root/lab11/downloaded -m http://57.35.6.2This transfers data to the folder /root/lab11/downloaded.Q1.1: What data is transferred to this folder?Q1.2: Why would this information be useful to attackers?httpdtype and user discoveryApache web servers, by default, are setup in a way that makes it easy for attackers to determine the type of web server is running, what additional modules are built into Apache, and what user accounts are present on the server.The first simple utility we will look at is a program called “httpdtype”. It is available from http://packetstormsecurity.nl in a package named “apscan2.tgz”. The other utilities in this package are not useful for our purposes and will not be discussed.On your Redhat WS 4 physical machine:# cd /root/lab11/utilities# tar xvfz apscan2.tgzThe other utilities are extracted as well but can be ignored.Now, type:# ./httpdtype 57.35.6.2Q1.3: What is the output?Another useful utility takes advantage of a bug in the Apache software, when run on a Redhat machine, that makes user discovery quite easy.If you try to access an existing users folder on an Apache server using a “~”, the server will respond with a 403 error message, indicating “Forbidden”, since that particular user has not set the appropriate permissions for their folder.If you were to try to access a non-existent user in the same manor, the server would respond with a 404 message indicating “Not Found”. Since that user doesn't exist.Open up a web browser on your Redhat 8.0 physical machine, and type the following URL “http://57.35.6.2/~root” and observe the results.3Now try “http://57.35.6.2/~rooty” [this lab assumes there is not a user called “rooty”]Observe these results. As can be seen, this is a very easy method to determine what user accounts are on a particular server. C code included on NAS, named “arse.c”, which is short for Apache and Redhat Security Exploit, will automate this process. This code can also be obtained from http://packetstormsecurity.nl.You have already downloaded “arse.c”, now we will compile it on the Redhat 8.0 physical machine:# cd /root/lab11/utilities# gcc -o arse arse.cNow run “arse” in the following manor:# ./arse 57.35.6.2 80 names.txt [“names.txt” contains various user names]This will check server “57.35.6.2”, use port 80 (http), and check user names in “names.txt”.Q1.4: What user names were found?Now we know what user accounts are on the server, information that is very useful to an attacker. One very good use of this information will be shown following, where we exploit a flaw in the basic authentication system that web servers use.Cracking basic authMost web servers have information on them that is only intended for a certain user or a certain group of users. To prevent access to this information by unauthorized individuals, web servers can use “basic authentication”, the simplest method of authentication. For a long time this was the most common authentication method used by all web servers on the Internet and is still the primary form of access protection used by many.We have setup a private folder on our web server. Attempt to browse to: “http://57.35.6.2/private/” and see that an authentication prompt comes up.[Note: a “/” is required after “private” above]This page is only available to two users with passwords.A bug exists in basic auth that sets no limits on the amount of simultaneous connections and number of