Objectives

We ll be discussing how to use BackTrack throughout this chapter. You can download the BackTrack ISO from http://www.remote-exploit.org/. This chapter covers port 80.

A responsive port 80 (or 443) raises several questions for attackers and penetration testers:

• Can I compromise the Web server due to vulnerabilities on the server daemon itself?

• Can I compromise the Web server due to its unhardened state?

• Can I compromise the application running on the Web server due to vulnerabilities within the application?

• Can I compromise the Web server due to vulnerabilities within the application?

Introduction

This chapter explains how a penetration tester would most likely answer each of the preceding questions.

Attacking or assessing companies over the Internet has grown over the past few years, from assessing a multitude of services to assessing just a handful. It is rare today to find an exposed world-readable Network File Server (NFS) share on a host or on an exposed vulnerability ( fingerd). Network administrators have long known the joys of default deny rule bases, and vendors no longer leave publicly disclosed bugs unpatched on public networks for months. Chances are when you are on a server on the Internet you are using the Hypertext Transfer Protocol (HTTP). Netcraft (www.netcraft.com) maintains that more than 70 percent of the servers visible on the Internet today are Web servers, with a plethora of services being added on top of HTTP.