Quick notes – How to Verify IIS Findings
06/03/2012 § 1 Comment
How to verify IIS findings (Requirement: Nmap tool):
Microsoft IIS Authentication Method Disclosure
Verifying HTTPS (*For http just remove “–ssl ” from ncat command below )
# ncat --ssl -vv ip.address port GET / HTTP/1.1 Host: iis-server Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA= OR GET / HTTP/1.1 Host: iis-server Authorization: Basic cTFraTk6ZDA5a2xt ---> RESPONSE: HTTP/1.1 401 Access Denied Server: Microsoft-IIS/5.0 Date: Sun, 03 Jun 2012 15:36:28 GMT WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgoKiSm+zVQ+ZeUsAAAAAAAAAAHwAfABSAAAABQCTCAAAAA9NAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAIAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAEAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAQAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAMAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAAAAAA= Content-Length: 24 Content-Type: text/html
Microsoft IIS Internal IP Address Leak
Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)
######################################### # Content-Location Internal IP Leak ######################################### ncat --ssl -vv ip.address port HEAD / HTTP/1.0 OR ncat --ssl -vv ip.address port GET / HTTP/1.0 ######################################### # WEBDAV PROPFIND/SEARCH Internal IP Leak ######################################### ncat --ssl -vv ip.address port PROPFIND / HTTP/1.1 Host: Content-Length: 0
Microsoft IIS ISAPI Services are Enabled
Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)
######################################### # Test for the following extensions (IDA, # IDC, IDQ, HTR, HTW, and PRINTER) ######################################### ncat --ssl -vv ip.address port GET /x.printer HTTP/1.0 -----> RESPONSE HTTP/1.1 500 13 Server: Microsoft-IIS/5.0 Date: Sun, 03 Jun 2012 16:02:30 GMT X-Powered-By: ASP.NET Content-Type: text/html <b>Error in web printer install.</b>
References:
Nexpose
Microsoft IIS Unprotected CNF Files Information Disclosure
Verifying HTTP (*For https just add “–ssl ” from ncat command below)
######################################### # Test the for the following files: # access.cnf, svcacl.cnf, writeto.cnf, # service.cnf, botinfs.cnf, bots.cnf, # linkinfo.cnf and services.cnf ######################################### ncat --ssl -vv ip.address port GET /_vti_pvt/access.cnf HTTP/1.0 ---> RESPONSE: HTTP/1.1 200 OK Content-Length: 121 Content-Type: text/plain Last-Modified: Sat, 11 Mar 2006 07:59:56 GMT Accept-Ranges: bytes ETag: "fa6d53c9e144c61:2184" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Sun, 03 Jun 2012 16:07:16 GMT Connection: close vti_encoding:SR|utf8-nl RealmName:exp-rom-web-01 PasswordDir:c:\\inetpub\\wwwroot\\_vti_pvt InheritPermissions:false
References:
Love this – keep it up man 🙂