Group Number: _________Member Names: ___________________ _______________________ECE4112 Internetwork SecurityLab 12: Internet Information ServicesGroup Number: _________ECE4112 Internetwork SecurityLab 12: Internet Information Services (IIS)Group Number: _________Member Names: ___________________ _______________________Lab Authors: Scott McCans, Peter MehravariDate Assigned: ???????Date Due: ????????Last Edited: ????????Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the DateDue.Goal: The goal of this lab is to introduce the Windows based platform Internet Information Services (IIS) as a viable web server. In particular, emphasis will be placed upon getting to know the vulnerabilities of the application as well as how to protect the server against black hat attacks.Summary: This lab consists of two main sections plus a section dedicated to setup and one to further research. The two major experimental sections will be dealing with IIS version 5.0 and 5.1. For both of these versions, exploits will be presented and explained, and also information on how to harden both of these web servers to prevent the vulnerabilities will be discussed.Background and Theory: - Read “Hacking Exposed” Web Server Hacking pg 536-561- Read Wikipedia’s entry on IIS (see Reference [1])- Read about ASP and the role of the global.asa file (see Reference [2])Prelab Questions: PLQ1. Give a summary of all the versions of IIS and what operating system they run on.PLQ2. What is the role of the global.asa file in ASP?1Equipment: This lab requires the use of four machines on the same network:1. RedHat 4.0 WS Host Machine 2. Windows XP Virtual Machine3. Preconfigured Win2kServer Virtual Machine4. Preconfigured Win2k3Server Virtual MachineEquipment needed:1. Windows XP Professional CDSection 1: Setup1.1 Setting up the IIS server on Windows XP Virtual Machine1. Put the Windows XP CD in the drive. If the CD isn’t recognized by the virtual machine right click on the CD drive with the red X over it (located at the bottom right of the VMware window) and click enable.2. Go to the Control Panel. Click on Add/Remove Programs3. Click on the Add/Remove Windows Components button on the left side of the window. 4. Put a check in the box next to “Internet Information Services (IIS)” and click Next. Let IIS install. 5. When it’s done installing restart Windows.6. After Windows reboots, try to access the web server from Red Hat WS 4.0. Open a web browser and try to connect to the address http://<Windows XP IP address>. If IIS is properly running you should get a page saying the site is under construction.1.2 Setting up the IIS Win2k and Win2k3 Server Virtual MachinesCopies of the virtual machines, created by the TAs, are available on the NAS server. You will be creating virtual machines out of them. Copy the files called Win2k.zip and Win2k3.zip from the NAS server to your Red Hat 4.0 WS root directory. Unzip these files using the unzip command to your /root/vmware/ folder. Look at appendix A for instructions on how to install these images in Vmware if you have forgotten. 2When creating the virtual machine, you may be prompted about upgrading. If so, click onthe upgrade button.Configure the IP addresses as follows- WinXP = 56.35.6.(x+2)- Win2kServer = 56.35.6.(x+3)- Win2k3Server = 56.35.6.(x+4)See appendix B for configuring windows machine IP addresses Section 2: IIS 5.0Power on the Win2kServer virtual machine, which was installed in the previous section. This section of the lab will be dealing exclusively with this virtual machine.The login is “Administrator” and the password is “pass” for this virtual machine.2.1 IISHACK2000http://downloads.securityfocus.com/vulnerabilities/exploits/iishack2000.cThis exploit takes advantage of a printer buffer overflow on the Windows 2000 version ofIIS. The result of running this overflow is a file created on the C: drive.Copy the file iishack2000.c from the NAS to a location on your Red Hat 4.0 WS local machine. Using the terminal window locate the file. Compile and run the .c code using the following commands:gcc iishack.c –o iishack./iishack 57.35.6.(x+3) 80 0 Look in the C: directory of the Win2kServer machine and observe its contents.Q2.1.1. What new file is now located in the Win2kServer’s C: folder?Screenshot #1: Take a screenshot of the C: drive showing the added file.Look at the actual code being implemented by iishack2000. This program has the ability to take in any shell code and run it using a buffer overflow. The file created is just a default file which is used to prove the exploit worksQ2.1.2. What sort of files would be more useful to a hacker to use along with this exploit instead of the default file. 3Q2.1.3. Look at the outputted text after the program is run. What does this suggest to you might be ways of preventing this exploit from affecting your server.2.2 Double Decode Directory Traversal Attackshttp://www.unleashedportal.com/Article1033.htmlExploits do not always need a specific tool or code file; in this case all an attacker needs is a web browser. Open Ethereal in Red Hat 4.0 WS and set start capturing packets. Open the Firefox web browser on the Red Hat 4.0 WS host machine and enter the following in the address line: http://57.35.6.x+3/Scripts/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\If a save file prompt appears click cancel. Stop ethereal and follow the TCP stream to find the commands sent and the response given.Screenshot #2: Take a screenshot of the TCP stream showing the contents of C: driveThe exploit works because the “Scripts” directory on the web server has execute permissions. The “..%%35%63” tells the server to move up a folder. In this example it goes up four directories and ends up in C:\. The “winnt/system32/cmd.exe” part of the URL tells the server to run that program, which is the windows shell program. Everything after the “?/c+” is what is run by cmd.exe. In this case the command “dir c:\” is run, which is why we see the listing of the C:\ directory in the ethereal capture.Q2.2.1. Using the method described above, how would you go about deleting a file, test.txt, located in the C:/ directory? Make a test.txt file