copyright © 2009, mcafee, inc. presented by mike andrews configuration websec 101...
TRANSCRIPT
![Page 1: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/1.jpg)
Copyright © 2009, McAfee, Inc.
Presented ByMike Andrews
Configuration
WebSec 101
[email protected]@mikeandrews.com
Intro Music by DoKashiteru via CCMixter
![Page 2: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/2.jpg)
Nothing in isolation
Network
Operating System
Libraries
Web server
Framework / App Server
Application
![Page 3: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/3.jpg)
Attack Surface
► Attack surface is the total number of possible attack vectors
► Think of a house, with doors and windows as the attack vectors
► Minimize surface area - want to make sure all doors and windows are locked and secure
![Page 4: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/4.jpg)
From the bottom
► Each running network service is a door or window
► Generally on a WebApp only want external users to access ports 80 and 443● Turn off services like Telnet, FTP, SMTP, etc● Some may be necessary - filter at firewall
► Some servers can be administered via web pages on administrative ports● http://servername:5842
![Page 5: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/5.jpg)
nMap
► nMap – “Network Mapper”
► Look for high-level TCP ports► Connect to them and send HTTP request
● HEAD / HTTP/1.0
![Page 6: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/6.jpg)
![Page 7: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/7.jpg)
Checking for known vulnerabilities
► Need to know the type and version of the software● From an internal/white-box point of view this is
easy!► Can be done for both OS and webserver
● nmap -O● HEAD request --> Server Header
![Page 8: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/8.jpg)
They Lie!
► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences
![Page 9: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/9.jpg)
How does HTTPrint work out the server type?
![Page 10: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/10.jpg)
Join the dots
► Given a webserver type/version, sometimes the OS can be determined● IIS/6.0 Windows box● Sun ONE Solaris● Apache ???
![Page 11: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/11.jpg)
With information comes power!
► What to do with this info?● Lookup known vulnerabilities for the platform
![Page 12: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/12.jpg)
Changing the SERVER header
► Smells of “security by obscurity”
► I believe that …Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 …
…is too much info
► Apache (>1.3)● ServerTokens Prod[uctOnly]
► IIS● IISLockdown/URLScan + RemoveServerHeader● Remember the X-POWERED-BY header as well!
![Page 13: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/13.jpg)
Scanning products
► Various products available to scan machines/networks to look for known vulns
► Network scanning vs Application scanning
![Page 14: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/14.jpg)
Rest of the stack
► What about vulns in the rest of the stack?● Issues with the app, framework and libraries will
be addressed in future webcasts● In terms of configuration, we want to remove
unnecessary features/components and secure the ones that are left
► Left over files, samples, demos, etc
► Weak server configuration
![Page 15: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/15.jpg)
Reviewing the web root
► Much easier to do if you have local access
► Look for all the places that are mapped● Apache - httpd.conf DocumentRoot● IIS - IIS Manager Web Sites + Virtual Directories
► Review files and directories - remove those that are not necessary to running the application● If in doubt, move the file/directory out of the web root(s)
and see if the application functions normally (VM clones?)
► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server?
![Page 16: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/16.jpg)
Nikto/Wikto
► Example of a (free) tool which scans for potentially vulnerable files/settings
► Can generate a lot of false positives● HTTP Codes (404’s etc)● 200 OK problem
► Not necessarily security problems, but should be verified● Left-over installation files / example scripts● Known vulnerabilities / old versions● Use –update to get most current signatures
− Can also add your own custom ones
![Page 17: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/17.jpg)
Identifying resources
Request “bad” resourc
e
Does it exist?
Positive vulnerability
Custom respons
e?
Recognize?
No vulnerability
No vulnerability
False Positive
[y]
[y] [y]
![Page 18: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/18.jpg)
![Page 19: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/19.jpg)
WebDAV
► WebDAV is a CVS system for web servers● Allows for editing/modification/creation of web pages
without have access to files on the server● Uses normal HTTP auth – Basic, Digest, NTLM, etc
► Generally users do not need WebDAV for production servers, so turn it off (or secure it)
► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled● Test with tools like DAVExplorer, DAVE, PerlDAV,
(FrontPage?)● Turn off methods other than GET, POST, and HEAD
![Page 20: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/20.jpg)
HTTP Options
![Page 21: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/21.jpg)
Turning off HTTP verbs
► Apache● Uninstall/disable Mod_DAV (or variants)
− Look for DAV On in webconf file(s)
● Mod_Rewrite +RewriteEngine OnRewriteCond %{REQUEST_METHOD} ^(TRACE|…|…)RewriteRule .* - [F]
► IIS● Web Service Extensions Manager (in IIS
Manager MMC)● (4.0 + 5.0) URLScan + DenyVerbs
![Page 22: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/22.jpg)
HTTPS
► HTTPS (HTTP over SSL) is a requirements on a lot of websites● Provides Confidentially
− Not only for PII or credit card info, but also for session tokens (more later)
● Provides Integrity− MITM attacks
● Authentication as well, but leave that for another time
► Strength of the SSL cipher used is important depending on the information being protected● “weak” ciphers can be broken in as little as 4
hours
![Page 23: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/23.jpg)
SSL Negotiation
► SSL selects the best cipher to use by negotiation between the server and browser● Select the highest common available cipher
► SSLv2 Downgrade Attack● Force a weaker cipher than is available● Only allow “strong” ciphers
► Use SSLDigger and OpenSSL to check ciphers and versions
![Page 24: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/24.jpg)
![Page 25: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/25.jpg)
![Page 26: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/26.jpg)
Removing SSL Ciphers
► Apache● Mod_SSL +
− SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2− ‘+’ adds a cipher, ‘!’ removes a cipher− Can select specific ciphers instead of aliases− SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5
► IIS● Site PropertiesDirectory Security
Require 128 Bits● Can remove ciphers via RegEdit
![Page 27: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/27.jpg)
Conclusion/wrap-up
► Ensure that machine is as “clean” as possible● Stop unnecessary services and close the ports● Remove all unnecessary pages / scripts / interfaces
► Disable HTTP methods
► Use SSLv3/TLS
► Remove all SSL ciphers other than “strong” or above
► See…● LAMP - http://www.apachesecurity.net/● WISA -
http://msdn2.microsoft.com/en-us/library/ms994921.aspx
![Page 28: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/28.jpg)
Next Up: Authentication
![Page 29: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/29.jpg)
Credits/references
► NetCat● http://netcat.sourceforge.net/ ● (also available in Cygwin - http://www.cygwin.com/)
► SecurityFocus.com, Secunia.com, OSVDB.org
► HTTPrint● http://net-square.com/httprint/
► nMap● http://insecure.org/nmap/
![Page 30: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/30.jpg)
► Apache documentation● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
► IISLockdown● http://www.microsoft.com/downloads/details.aspx?
FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC
► URLScan● http://www.microsoft.com/technet/security/tools/urlscan.mspx
► Brute force weak SSL ciphers● http://www.cl.cam.ac.uk/~rnc1/brute.html
![Page 31: Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru](https://reader035.vdocument.in/reader035/viewer/2022062621/551bccce550346af588b5282/html5/thumbnails/31.jpg)
► IIS SSL Ciphers registry hack● http://support.microsoft.com/kb/216482● http://support.microsoft.com/kb/187498