IIS Remote Analysis

Source: Internet
Author: User
Tags microsoft iis
Old Article Now I have read it as a classic. I recommend it to you.

When it comes to Microsoft's IIS Web server security issues, many people will immediately think of the critical vulnerabilities that are hailed by people: Unicode, CGI parsing ,. ida, idq ,. printer remote overflow.

Remotely determine Directory Permissions

Open an IIS server. In the IIS Service Manager, select a directory to view its properties.
There are some options in the directory attribute items (Log Access and indexing of this resource is not counted ):

Script resource access: the script for the website can read the original file.

Read the static Resources in the directory.

Write users can create and delete Resources

Directory browsing users can browse the directory content.

ApplicationProgramThe set execution license has three options:

None

Only scripts such as ASP scripts are allowed.

Various file types can be accessed and executed by scripts and executable programs

So, how can we determine the switch settings on the server? Don't worry. Come one by one.

Execution permission:

How can I determine whether the execution permission is enabled for a directory? Send the following request to the server:

Http: // IIS-server/DIR/no-such-file.dll

/DIR/to determine the directory, the no-such-file.dll is to get a name, the server does not have this file. The server returns a message for our request. If a 500 error is returned:

HTTP 500-internal server error (internal server error)

The execution permission of this directory is open. For servers, do not grant the execution permission. Especially for the execution permissions of virtual directories, you can understand the exploitation process of Unicode and secondary Decoding Vulnerabilities.

If a 404 error is returned by the server:

HTTP 404-file not found

The execution permission of this directory is not enabled.

Write Permission:

To test whether a directory has write permissions for a Web user, telnet to the Web port (80) of the server and send the following request:

Put/DIR/my_file.txt HTTP/1.1

HOST: IIS-Server

Content-Length: 10 <enter>

At this time, the server will return a 100 (CONTINUE) message:

HTTP/1.1 100 continue

Server: Microsoft-Microsoft IIS/5.0

Date: Thu, 28 Feb 2002 15:56:00 GMT

Then, we enter 10 letters:

Aaaaaaaaaa

After sending this request, check the server's returned information. If the request is a 201 created response:

HTTP/1.1 201 created

Server: Microsoft-Microsoft IIS/5.0

Date: Thu, 28 Feb 2002 15:56:08 GMT

Location: http: // IIS-server/DIR/my_file.txt

Content-Length: 0

Allow: Options, Trace, get, Head, delete, put, copy, move, PROPFIND,

Proppatch, search, lock, unlock

It indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is not enabled. If you need to authenticate, if a 401 (Forbidden) response is returned, the write permission is enabled, but anonymous users are not allowed. If "write" and "script and executable program" are enabled in a directory, web users can upload a program and execute it !~

Script-only execution permission:

There are too many directories. Many directories that do not need execution permissions are also granted the script execution permission by the Administrator. I remember in an article in shotgun, he said: minimum permissions + least services = maximum security; no error at all. It is unnecessary to grant any excessive permissions to the directory. It is also easy to determine whether a directory can execute a pure script file, and send a request such as the following:

Http: // IIS-server/DIR/no-such-file.asp

If the returned 404 file does not exist, the execution permission is granted. If the returned 403 file does not exist, the execution permission is disabled.

View directory permissions:

It may take a little bit of tips to determine whether a directory allows browsing. However, if the default homepage (for example, default. asp) of a website does not exist, it will be much simpler. Enter:

Http: // IIS-server/DIR/

If the permission is on, the system will return a 200 response and list the content in the current directory. Otherwise, the system will turn off if the directory is not listed. However, what if default. asp exists on the default page? Click the address above to open the page. Don't worry, there is a request method in WebDAV called profind. This method allows us to obtain some information from the server resources, such as the file name, Creation Time, and last modification time. We can also use the default. asp Method to Determine the directory browsing permission. telnet to the Web port of IIS-server and send the following request:

PROPFIND/DIR/HTTP/1.1

HOST: IIS-Server

Content-Length: 0

In this case, the server returns a 207 multi status response. If the directory is accessible, resources in the directory and their attributes are listed. If directory browsing is not allowed, more information will be returned. In general, directory browsing can only be regarded as a low-risk vulnerability. For example, if an images directory contains nothing but images, it does not pose any harm to server security. However, if the directory contains an admin page. ASP or some database connection information files may cause your server to be handed over to intruders.

Read Permission:

It is easy to determine this. You can send a request with a TXT file:

Http: // IIS-server/DIR/no-such-file.txt

If a response indicating that the 404 file does not exist is returned, the read permission is open. If the 403 error is returned, the read permission is disabled. People who have been exposed to security several years ago must know: $ Data leaks ASPSource codeIn fact, if an ASP script is in the directory, the read permission is not required. asp only requires the script execution permission.

IIS authentication method judgment

This vulnerability was recently announced. the IIS server supports anonymous access, basic authentication, and Windows integrated authentication using NTLM. If the client sends a request containing authentication information, IIS will forcibly try to use the authentication information for authentication, and return the response that does not respond. In this way, we can determine the IIS Authentication configuration.

To determine whether IIS supports basic authentication, telnet to port 80 on the server and send the following request:

Get, HTTP, 1.1

HOST: IIS-Server

Authorization: Basic c3lzdgvtom1hbmfnzxia

This is a basic authentication request, which contains a Base 64-encoded user ID and pass. The string following basic is system: manager after Base 64 decoding. If the server returns a 401 message, the basic authentication option is on. If 200 information is returned, there are two possibilities: the basic authentication option is not enabled or a user name on the server is

The username and password of the system are Manager (if you guess it is correct, it will be a huge success ).

To determine whether the NTLM option is enabled, you can send the following request to IIS:

Get, HTTP, 1.1

HOST: IIS-Server

Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa =

Similarly, if 401 messages are returned, NTLM is supported. If 200 is returned, the NTLM authentication option is disabled.

For most websites, these two authentication methods do not need to be enabled. They may leak important information about servers.

Leakage of internal IP address information

If the IIS server is in a NAT firewall, there is usually an internal address such as 10. x.

If the basic authentication option is enabled for IIS, you can obtain the internal IP address of the server by sending a simple request:

Get, HTTP, 1.1

Host:

Authorization: Basic c3lzdgvtom1hbmfnzxia

The server returns the following response:

HTTP/1.1 401 Access Denied

Server: Microsoft-Microsoft IIS/5.0

Date: Fri, 01 Mar 2002 15:45:32 GMT

WWW-Authenticate: Basic realm = "10.1.1.2"

Connection: Close

Content-Length: 3245

Content-Type: text/html

10.1.1.2 is the internal IP address of the machine. Originally, the value of realm is a Host Header provided by the client, but it is null here. Therefore, IIS uses the local IP address instead. Similarly, the returned information of requests such as PROPFIND, write, and mkcol can also leak some host information. For example, we submit the following request to the server:

PROPFIND/HTTP/1.1

Host:

Content-Length: 0

When IIS is configured to use the host name (see later), the IP address of the host is not exposed, but the NetBIOS name is exposed. In fact, we can use IIS authentication to obtain more information, such as the domain name, by sending the following NTLM authentication request to the server:

Get, HTTP, 1.1

HOST: IIS-Server

Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa

The server returns a message:

HTTP/1.1 401 Access Denied

Server: Microsoft-Microsoft IIS/5.0

Date: Fri, 01 Mar 2002 16:24:58 GMT

WWW-Authenticate: negotiate tlmtvntuaacaaaadaamadaaaaafgokgegvyvuvy67u
Aaaaaaaaaaeqaraa8aaaauwbdafkatabmaeeaagamafmaqwbzaewatabbaaea

Dabtaemawqbmaewaqqaeaawauwbdafkatabmaeeaawamafmaqwbzaewatabb

Aaaaaaa =

Content-Length: 3245

Content-Type: text/html

The long string contains the Base 64 encoding of the host name and the name of the domain where the NT is located.

Temporary solution: Go to the C: "inetpub" adminscripts or administs directory under CMD and run the command adsutil set w3svc/UseHostName True.
Net stop IISADMIN/y
Net start w3svc

Default Application ing judgment

It is relatively easy to determine whether the default ing exists. Here, only the response to the corresponding request is provided when the ing exists:

Extension:. Printer

Request: http: // IIS-server/Foo. Printer

Response: HTTP 500-Internal Server Error

Extension:. idc

Request: http: // IIS-server/Foo. idc

Response: Code 500 Internal Server Error

Extension:. idq

Request: http: // IIS-server/Foo. idq

Response Code: 200 OK

Response: The IDQ file D: "dir" "foo. idq is not found.

Extension:. Ida

Request: http: // IIS-server/Foo. Ida

Response Code: 200 OK

Response: The IDQ file D: "dir" foo. IDA is not found.

Extension:. htr

Request: http: // IIS-server/Foo. htr

Response: HTTP 404-file not found

Extension:. HTW

Request: http: // IIS-server/Foo. HTW

Response Code: 200 OK

Response: The format of QUERY_STRING is invalid.

Extension:. stm

Request: http: // IIS-server/Foo. stm

Response: HTTP 404-file not found

Extension:. shtm

Request: http: // IIS-server/Foo. shtm

Response: HTTP 404-file not found

Extension:. shtml

Request: http: // IIS-server/Foo. Ida

Response: HTTP 404-file not found

Determine whether the operating system is a personal version (Professional/workstation)

When IIS is installed on Windows2000 Professional Edition and NT Workstation, the maximum number of connections is 10 at the same time. With this, we can simply determine the operating system version: create 10 HTTP 1.1 persistent connections, 11th connection requests are returned with error 403.
The old article is now classic. We recommend it to you.

When it comes to Microsoft's IIS Web server security issues, many people will immediately think of the critical vulnerabilities that are hailed by people: Unicode, CGI parsing ,. ida, idq ,. printer remote overflow.

Remotely determine Directory Permissions

Open an IIS server. In the IIS Service Manager, select a directory to view its properties.
There are some options in the directory attribute items (Log Access and indexing of this resource is not counted ):

Script resource access: the script for the website can read the original file.

Read the static Resources in the directory.

Write users can create and delete Resources

Directory browsing users can browse the directory content.

There are three options for the execution license set by the application:

None

Only scripts such as ASP scripts are allowed.

Various file types can be accessed and executed by scripts and executable programs

So, how can we determine the switch settings on the server? Don't worry. Come one by one.

Execution permission:

How can I determine whether the execution permission is enabled for a directory? Send the following request to the server:

Http: // IIS-server/DIR/no-such-file.dll

/DIR/to determine the directory, the no-such-file.dll is to get a name, the server does not have this file. The server returns a message for our request. If a 500 error is returned:

HTTP 500-internal server error (internal server error)

 

 

 

The execution permission of this directory is open. For servers, do not grant the execution permission. Especially for the execution permissions of virtual directories, you can understand the exploitation process of Unicode and secondary Decoding Vulnerabilities.

If a 404 error is returned by the server:

HTTP 404-file not found

The execution permission of this directory is not enabled.

Write Permission:

To test whether a directory has write permissions for a Web user, telnet to the Web port (80) of the server and send the following request:

Put/DIR/my_file.txt HTTP/1.1

HOST: IIS-Server

Content-Length: 10 <enter>

At this time, the server will return a 100 (CONTINUE) message:

HTTP/1.1 100 continue

Server: Microsoft-Microsoft IIS/5.0

Date: Thu, 28 Feb 2002 15:56:00 GMT

Then, we enter 10 letters:

Aaaaaaaaaa

After sending this request, check the server's returned information. If the request is a 201 created response:

HTTP/1.1 201 created

Server: Microsoft-Microsoft IIS/5.0

Date: Thu, 28 Feb 2002 15:56:08 GMT

Location: http: // IIS-server/DIR/my_file.txt

Content-Length: 0

Allow: Options, Trace, get, Head, delete, put, copy, move, PROPFIND,

Proppatch, search, lock, unlock

It indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is not enabled. If you need to authenticate, if a 401 (Forbidden) response is returned, the write permission is enabled, but anonymous users are not allowed. If "write" and "script and executable program" are enabled in a directory, web users can upload a program and execute it !~

Script-only execution permission:

There are too many directories. Many directories that do not need execution permissions are also granted script execution permissions by the Administrator. I remember in an article in shotgun, he said: Minimum permissions + minimum services = maximum security; no error at all. It is unnecessary to grant any excessive permissions to the directory. It is also easy to determine whether a directory can execute a pure script file, and send a request such as the following:

Http: // IIS-server/DIR/no-such-file.asp

If the returned 404 file does not exist, the execution permission is granted. If the returned 403 file does not exist, the execution permission is disabled.

View directory permissions:

It may take a little bit of tips to determine whether a directory allows browsing. However, if the default homepage (for example, default. asp) of a website does not exist, it will be much simpler. Enter:

Http: // IIS-server/DIR/

If the permission is on, the system will return a 200 response and list the content in the current directory. Otherwise, the system will turn off if the directory is not listed. However, what if default. asp exists on the default page? Click the address above to open the page. Don't worry, there is a request method in WebDAV called profind. This method allows us to obtain some information from the server resources, such as the file name, Creation Time, and last modification time. We can also use the default. asp Method to Determine the directory browsing permission. telnet to the Web port of IIS-server and send the following request:

PROPFIND/DIR/HTTP/1.1

HOST: IIS-Server

Content-Length: 0

In this case, the server returns a 207 multi status response. If the directory is accessible, resources in the directory and their attributes are listed. If directory browsing is not allowed, more information will be returned. In general, directory browsing can only be regarded as a low-risk vulnerability. For example, if an images directory contains nothing but images, it does not pose any harm to server security. However, if the directory contains an admin page. ASP or some database connection information files may cause your server to be handed over to intruders.

Read Permission:

It is easy to determine this. You can send a request with a TXT file:

Http: // IIS-server/DIR/no-such-file.txt

If a response indicating that the 404 file does not exist is returned, the read permission is open. If the 403 error is returned, the read permission is disabled. People who have been exposed to security several years ago must know: $ Data leaks ASP SourceCodeIn fact, if an ASP script is in the directory, the read permission is not required. asp only requires the script execution permission.

IIS authentication method judgment

This vulnerability was recently announced. the IIS server supports anonymous access, basic authentication, and Windows integrated authentication using NTLM. If the client sends a request containing authentication information, IIS will forcibly try to use the authentication information for authentication, and return the response that does not respond. In this way, we can determine the IIS Authentication configuration.

To determine whether IIS supports basic authentication, telnet to port 80 on the server and send the following request:

Get, HTTP, 1.1

HOST: IIS-Server

Authorization: Basic c3lzdgvtom1hbmfnzxia

This is a basic authentication request, which contains a Base 64-encoded user ID and pass. The string following basic is system: manager after Base 64 decoding. If the server returns a 401 message, the basic authentication option is on. If 200 information is returned, there are two possibilities: the basic authentication option is not enabled or a user name on the server is

The username and password of the system are Manager (if you guess it is correct, it will be a huge success ).

To determine whether the NTLM option is enabled, you can send the following request to IIS:

Get, HTTP, 1.1

HOST: IIS-Server

Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa =

Similarly, if 401 messages are returned, NTLM is supported. If 200 is returned, the NTLM authentication option is disabled.

For most websites, these two authentication methods do not need to be enabled. They may leak important information about servers.

Leakage of internal IP address information

If the IIS server is in a NAT firewall, there is usually an internal address such as 10. x.

If the basic authentication option is enabled for IIS, you can obtain the internal IP address of the server by sending a simple request:

Get, HTTP, 1.1

Host:

Authorization: Basic c3lzdgvtom1hbmfnzxia

The server returns the following response:

HTTP/1.1 401 Access Denied

Server: Microsoft-Microsoft IIS/5.0

Date: Fri, 01 Mar 2002 15:45:32 GMT

WWW-Authenticate: Basic realm = "10.1.1.2"

Connection: Close

Content-Length: 3245

Content-Type: text/html

10.1.1.2 is the internal IP address of the machine. Originally, the value of realm is a Host Header provided by the client, but it is null here. Therefore, IIS uses the local IP address instead. Similarly, the returned information of requests such as PROPFIND, write, and mkcol can also leak some host information. For example, we submit the following request to the server:

PROPFIND/HTTP/1.1

Host:

Content-Length: 0

When IIS is configured to use the host name (see later), the IP address of the host is not exposed, but the NetBIOS name is exposed. In fact, we can use IIS authentication to obtain more information, such as the domain name, by sending the following NTLM authentication request to the server:

Get, HTTP, 1.1

HOST: IIS-Server

Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa

The server returns a message:

HTTP/1.1 401 Access Denied

Server: Microsoft-Microsoft IIS/5.0

Date: Fri, 01 Mar 2002 16:24:58 GMT

WWW-Authenticate: negotiate tlmtvntuaacaaaadaamadaaaaafgokgegvyvuvy67u
Aaaaaaaaaaeqaraa8aaaauwbdafkatabmaeeaagamafmaqwbzaewatabbaaea

Dabtaemawqbmaewaqqaeaawauwbdafkatabmaeeaawamafmaqwbzaewatabb

Aaaaaaa =

Content-Length: 3245

Content-Type: text/html

The long string contains the Base 64 encoding of the host name and the name of the domain where the NT is located.

Temporary solution: Go to the C: "inetpub" adminscripts or administs directory under CMD and run the command adsutil set w3svc/UseHostName True.
Net stop IISADMIN/y
Net start w3svc

Default Application ing judgment

It is relatively easy to determine whether the default ing exists. Here, only the response to the corresponding request is provided when the ing exists:

Extension:. Printer

Request: http: // IIS-server/Foo. Printer

Response: HTTP 500-Internal Server Error

Extension:. idc

Request: http: // IIS-server/Foo. idc

Response: Code 500 Internal Server Error

Extension:. idq

Request: http: // IIS-server/Foo. idq

Response Code: 200 OK

Response: The IDQ file D: "dir" "foo. idq is not found.

Extension:. Ida

Request: http: // IIS-server/Foo. Ida

Response Code: 200 OK

Response: The IDQ file D: "dir" foo. IDA is not found.

Extension:. htr

Request: http: // IIS-server/Foo. htr

Response: HTTP 404-file not found

Extension:. HTW

Request: http: // IIS-server/Foo. HTW

Response Code: 200 OK

Response: The format of QUERY_STRING is invalid.

Extension:. stm

Request: http: // IIS-server/Foo. stm

Response: HTTP 404-file not found

Extension:. shtm

Request: http: // IIS-server/Foo. shtm

Response: HTTP 404-file not found

Extension:. shtml

Request: http: // IIS-server/Foo. Ida

Response: HTTP 404-file not found

Determine whether the operating system is a personal version (Professional/workstation)

When IIS is installed on Windows2000 Professional Edition and NT Workstation, the maximum number of connections is 10 at the same time. With this, we can simply determine the operating system version: create 10 HTTP 1.1 persistent connections, 11th connection requests will be placed back 403 error http://netadmin.77169.com/HTML/20040824004500.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.