Quick notes – How to Verify IIS Findings

06/03/2012 § 1 Comment

How to verify IIS findings (Requirement: Nmap tool):

Microsoft IIS Authentication Method Disclosure

Verifying HTTPS (*For http just remove “–ssl ” from ncat command below )

# ncat --ssl -vv ip.address port
GET / HTTP/1.1
Host: iis-server
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=

OR

GET / HTTP/1.1
Host: iis-server
Authorization: Basic cTFraTk6ZDA5a2xt

---> RESPONSE:
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Sun, 03 Jun 2012 15:36:28 GMT
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgoKiSm+zVQ+ZeUsAAAAAAAAAAHwAfABSAAAABQCTCAAAAA9NAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAIAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAEAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAQAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAMAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAAAAAA=
Content-Length: 24
Content-Type: text/html

References:
Nexpose
CVE
BID

Microsoft IIS Internal IP Address Leak

Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)

#########################################
# Content-Location Internal IP Leak
#########################################

ncat --ssl -vv ip.address port
HEAD / HTTP/1.0

OR

ncat --ssl -vv ip.address port
GET / HTTP/1.0

#########################################
# WEBDAV PROPFIND/SEARCH Internal IP Leak
#########################################

ncat --ssl -vv ip.address port
PROPFIND / HTTP/1.1
Host:
Content-Length: 0

References:
Nexpose
BID

 

Microsoft IIS ISAPI Services are Enabled

Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)


#########################################
# Test for the following extensions (IDA, 
# IDC, IDQ, HTR, HTW, and PRINTER)
#########################################
ncat --ssl -vv ip.address port
GET /x.printer HTTP/1.0

-----> RESPONSE
HTTP/1.1 500 13
Server: Microsoft-IIS/5.0
Date: Sun, 03 Jun 2012 16:02:30 GMT
X-Powered-By: ASP.NET
Content-Type: text/html
<b>Error in web printer install.</b>

References:
Nexpose

Microsoft IIS Unprotected CNF Files Information Disclosure

Verifying HTTP (*For https just add “–ssl ” from ncat command below)


#########################################
# Test the for the following files:
# access.cnf, svcacl.cnf, writeto.cnf, 
# service.cnf, botinfs.cnf, bots.cnf, 
# linkinfo.cnf and services.cnf
#########################################

ncat --ssl -vv ip.address port
GET /_vti_pvt/access.cnf HTTP/1.0

---> RESPONSE:
HTTP/1.1 200 OK
Content-Length: 121
Content-Type: text/plain
Last-Modified: Sat, 11 Mar 2006 07:59:56 GMT
Accept-Ranges: bytes
ETag: "fa6d53c9e144c61:2184"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Jun 2012 16:07:16 GMT
Connection: close

vti_encoding:SR|utf8-nl
RealmName:exp-rom-web-01
PasswordDir:c:\\inetpub\\wwwroot\\_vti_pvt
InheritPermissions:false

References:

Nexpose
SecuritySpace

Where Am I?

You are currently browsing the Microsoft IIS category at hdesser.