Bringing up security issues with Microsoft's IIS Web server, many people immediately think of the deadly, blessed
Vulnerabilities: UNICODE, CGI parsing,. IDA,IDQ,. Printer remote overflow and so on. These are the great loopholes I'm afraid to wait for scripts.
Kidding's favorite, using them can be very easy to get higher system privileges. But this article is not a discussion of these fatal vulnerabilities, but a more detailed description of how to remotely determine the IIS server settings, such as directory permissions, authentication methods and so on, some things are already very old, but the new things are worth seeing. I hope this paper can play a role in the study. Okay, cut the crap, go~!.
Remotely Determine directory Permissions
Let's open an IIS server to see. In IIS Service Manager, select a directory to see his properties
There are some options in the Directory property entry (log access and index this resource is not counted):
Script resource access: Scripts for Web sites can read the original file.
Read the static resources inside the directory.
Write users can create and delete resources
Directory browsing users can browse the contents of the directory.
There are three options in the execution license for application settings:
No access to static pages only
Pure script only allows scripts such as ASP scripts to be allowed
Script and executable programs can access and execute various file types
So, how do you determine these switch settings on the server? Don't worry, one of them comes.
Execute permissions
How do I determine if a directory has permission to execute? Very simply, send a request to the server below:
Http://iis-server/dir/no-such-file.dll
/dir/to judge the directory, No-such-file.dll is casually get a name, the server does not have this file.
The server will return a message to our request. If a 500 error is returned:
HTTP 500-Internal server error (Internal server error)
Then it means that the permissions on the directory are open. For servers, do not open the execution authority. In particular, the implementation of the virtual directory permissions, we think of Unicode and two of times decoding vulnerabilities in the use of the process to understand.
If the server returns a 404 error:
HTTP 404-File not Found
Then it shows that the execution permissions for this directory are not open.
Write permission
To test whether a directory has write permissions for a Web user, use the following methods:
Telnet to the server's Web port (80) and sends a request for the following:
Put/dir/my_file.txt http/1.1
Host:iis-server
Content-length:10 <enter><enter>
The server then returns a 100 (continue) Message:
http/1.1 Continue
server:microsoft-iis/5.0
Date:thu, Feb 2002 15:56:00 GMT
Next, we enter 10 letters:
Aaaaaaaaaa
After sending out this request, look at the server's return information if it is a 201 created response:
Then it means that the Write permission for this directory is open, conversely, if the return is a 403 error, then write permission is
Not open, if you need authentication, and return a 401 (permission prohibited) response, it is open Write permission, but anonymous users do not allow. If a directory has both "write" and "script and executable programs" open, then Web users can upload a program and execute it, scary oh%^#$!~
Pure Script Execution Permissions
There are too many of these directories. Many directories that do not need to execute permissions are also given script execution permissions by the administrator, and I remember
Shotgun an article in which he said: the smallest permissions + the least service = maximum security; nothing wrong. It is not necessary to give any extra permissions to the directory. It is also simple to determine whether a directory can execute a plain script file, sending a request as follows:
Http://iis-server/dir/no-such-file.asp
Return 404 file does not exist description has EXECUTE permission, return 403 is not open.
Browse Directory Permissions
It may take a little trick to determine whether a directory is allowed to browse, but the default home page (such as: default.asp) does not exist. Enter in the browser:
http://iis-server/dir/
If the permission is open, it returns 200 responses and lists the contents of the current directory, otherwise it is closed without listing the directory. But what if the default page default.asp exist? Typing the above address directly opens the page. Don't worry,
WebDAV has a request method called: Profind. This method allows us to get some information from the server resources, such as filename, creation time, last modified time, and so on. With it we can also bypass default.asp to determine the directory browsing permissions, Telnet to the Iis-server Web port, send the following request:
propfind/dir/http/1.1
Host:iis-server
content-length:0
At this point, the server sends back a 207 Multi status response, and if the directory is allowed to browse, it also lists the resources in the directory and their attributes. If directory browsing is not allowed, the information returned will be much less. Directory browsing generally can only be regarded as a low risk level of vulnerability, such as a images directory, in addition to the picture there is nothing else, there is no harm to the security of the server, but, If the directory contains a management page adminpage.asp or some database connection information file, may cause your server to hand over to the intruder.
Read permissions
It is easy to judge this, send a request with TXT file can:
Http://iis-server/dir/no-such-file.txt
If a response that does not exist for a 404 file is returned, the Read permission is open, anyway, the return of the 403 error indicates that the permission is not open. Early years of contact with security must know:: $DATA leakage of ASP source code loopholes, in fact, if a directory inside the powerful ASP script, then read permissions can not open, the ASP only need script execution permissions on it.
The judgment of IIS authentication method
This vulnerability was only recently announced, with IIS servers supporting anonymous access, Basic authentication and Windows Integration authentication using NTLM, and if the client sends a request that contains authentication information, IIS will forcibly attempt to authenticate with the authentication information and put back the unresponsive response. This allows us to determine the authentication configuration of IIS.
To determine if IIS supports Basic authentication, you can telnet to the server's port 80 and send the following request:
get/http/1.1
Host:iis-server
Authorization:basic C3lzdgvtom1hbmfnzxia
This is a Basic authentication request that contains a base 64 encoded user ID and a string of characters after pass,basic after base 64 decoding is System:manager. If the server returns a 401 message, the Basic authentication option is open. If 200 information is returned, there are 2 possibilities, the Basic authentication option is not on or the server exists a username is
System username, and the password is manager (guess, good luck).
To determine if the NTLM option is turned on, you can send the following request to IIS
Similarly, if 401 messages are returned, the description supports NTLM, and 200 indicates that the no NTLM authentication option is not turned on.
For most Web sites, these two authentication methods are not required to open, they are likely to reveal some of the server's important information.
Leaking internal IP address information
If the IIS server is inside a firewall using NAT, there is usually an internal address such as 10.x.x.x.
If IIS has the Basic authentication option turned on, sending a simple request like this can get the server's internal IP:
get/http/1.1
Host:
Authorization:basic C3lzdgvtom1hbmfnzxia
The server will return a response as follows:
http/1.1 401 Access Denied
server:microsoft-iis/5.0
Date:fri, Mar 2002 15:45:32 GMT
Www-authenticate:basic realm= "10.1.1.2"
Connection:close
content-length:3245
Content-type:text/html
That 10.1.1.2 is the machine's internal IP address, the original realm value is provided by the client to a host header, but here it is empty, so IIS chose the local IP address to replace. Similarly, using the return information of requests such as Propfind,write,mkcol can also reveal some information about the host, such as we bring to the server the following request:
propfind/http/1.1
Host:
content-length:0
When IIS is configured to use a host name (see later), the IP address of the host is not exposed, but the NetBIOS name is exposed. In fact, we can use the authentication of IIS to get more information, such as the name of the domain, by sending the following NTLM-authenticated request to the server:
That long string of characters contains the base 64 encoding of the hostname and the name of the NT domain.
Temporary solution: Under CMD to enter c:\inetpub\adminscripts or Adminiscript directory to execute the command
adsutil set W3svc/usehostname True
net stop iisadmin/y
net start w3svc
Default Application mapping judgment
It is simpler to determine whether the default mappings exist, but simply give a response to the corresponding request in the presence of the mapping:
Extension:. Printer
Request: Http://iis-server/foo.printer
Response: HTTP 500-Internal server error
Name extension:. idc
Request: HTTP://IIS-SERVER/FOO.IDC
Response: Code Internal Server Error
Extension:. idq
Request: HTTP://IIS-SERVER/FOO.IDQ
Response Code: MB OK
Response: IDQ file not found D:\DIR\\FOO.IDQ
Extended name:. Ida
Request: Http://iis-server/foo.ida
Response Code: MB OK
Response: IDQ file not found D:\dir\foo.ida
Extension:. htr
Request: HTTP://IIS-SERVER/FOO.HTR
Response: HTTP 404-File not Found
Extension:. htw
Request: HTTP://IIS-SERVER/FOO.HTW
Response Code: MB OK
Response: Invalid format for query_string
Extension:. stm
Request: Http://iis-server/foo.stm
Response: HTTP 404-File not Found
Extension:. shtm
Request: Http://iis-server/foo.shtm
Response: HTTP 404-File not Found
Extension:. shtml
Request: Http://iis-server/foo.ida
Response: HTTP 404-File not Found
Determine if the operating system is a personal version (Professional/workstation)
IIS installed in the Windows2000 Professional Edition and NT Workstation above the simultaneous number of connections to the maximum of 10, using this we can simply determine the operating system version: Create 10 HTTP 1.1 continuous connection, the 11th connection request will put back 403 error messages.
Something: For a variety of reasons, my company closed down, no work, the heart is messy, so the translation of the time is also cut head to the tail, we do not scold me, I took to the hacker line of defense fraud royalties. If you do not understand where you can refer to the following several:
Http://www.nextgenss.com/papers/iisrconfig.pdf English Original
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.