Quick notes – How to Verify IIS Findings
06/03/2012 § 1 Comment
How to verify IIS findings (Requirement: Nmap tool):
Microsoft IIS Authentication Method Disclosure
Verifying HTTPS (*For http just remove “–ssl ” from ncat command below )
# ncat --ssl -vv ip.address port GET / HTTP/1.1 Host: iis-server Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA= OR GET / HTTP/1.1 Host: iis-server Authorization: Basic cTFraTk6ZDA5a2xt ---> RESPONSE: HTTP/1.1 401 Access Denied Server: Microsoft-IIS/5.0 Date: Sun, 03 Jun 2012 15:36:28 GMT WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgoKiSm+zVQ+ZeUsAAAAAAAAAAHwAfABSAAAABQCTCAAAAA9NAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAIAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAEAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAQAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAMAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAAAAAA= Content-Length: 24 Content-Type: text/html
Microsoft IIS Internal IP Address Leak
Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)
######################################### # Content-Location Internal IP Leak ######################################### ncat --ssl -vv ip.address port HEAD / HTTP/1.0 OR ncat --ssl -vv ip.address port GET / HTTP/1.0 ######################################### # WEBDAV PROPFIND/SEARCH Internal IP Leak ######################################### ncat --ssl -vv ip.address port PROPFIND / HTTP/1.1 Host: Content-Length: 0
Microsoft IIS ISAPI Services are Enabled
Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)
######################################### # Test for the following extensions (IDA, # IDC, IDQ, HTR, HTW, and PRINTER) ######################################### ncat --ssl -vv ip.address port GET /x.printer HTTP/1.0 -----> RESPONSE HTTP/1.1 500 13 Server: Microsoft-IIS/5.0 Date: Sun, 03 Jun 2012 16:02:30 GMT X-Powered-By: ASP.NET Content-Type: text/html <b>Error in web printer install.</b>
References:
Nexpose
Microsoft IIS Unprotected CNF Files Information Disclosure
Verifying HTTP (*For https just add “–ssl ” from ncat command below)
######################################### # Test the for the following files: # access.cnf, svcacl.cnf, writeto.cnf, # service.cnf, botinfs.cnf, bots.cnf, # linkinfo.cnf and services.cnf ######################################### ncat --ssl -vv ip.address port GET /_vti_pvt/access.cnf HTTP/1.0 ---> RESPONSE: HTTP/1.1 200 OK Content-Length: 121 Content-Type: text/plain Last-Modified: Sat, 11 Mar 2006 07:59:56 GMT Accept-Ranges: bytes ETag: "fa6d53c9e144c61:2184" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Sun, 03 Jun 2012 16:07:16 GMT Connection: close vti_encoding:SR|utf8-nl RealmName:exp-rom-web-01 PasswordDir:c:\\inetpub\\wwwroot\\_vti_pvt InheritPermissions:false
References:
ready for the pain?
03/23/2011 § 4 Comments
Happy to announce my debut!
ping hdesser.wordpress.com PING lb.wordpress.com (72.233.2.58): 56 data bytes 64 bytes from 72.233.2.58: icmp_seq=0 ttl=52 time=117.765 ms 64 bytes from 72.233.2.58: icmp_seq=1 ttl=52 time=122.476 ms 64 bytes from 72.233.2.58: icmp_seq=2 ttl=52 time=111.617 ms 64 bytes from 72.233.2.58: icmp_seq=3 ttl=52 time=110.627 ms 64 bytes from 72.233.2.58: icmp_seq=4 ttl=52 time=115.772 ms 64 bytes from 72.233.2.58: icmp_seq=5 ttl=52 time=138.754 ms ^C --- lb.wordpress.com ping statistics --- 6 packets transmitted, 6 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 110.627/119.502/138.754/9.464 ms
Finally, I will have a place to vomit my ideas.
Before I begin, few things you might need to know about me:
A proud offsec certified student (OSWP/OSCP/OSCE), corelan’s student, and infosec enthusiast by heart.