Remote Analysis of IIS settings

 

When talking about the security of Microsoft's IIS web server, many people will immediately think of the fatal

Vulnerabilities: UNICODE, CGI parsing,. ida, idq,. Printer remote overflow, etc. These great vulnerabilities may be my scripts

Kidding is a favorite and can be used to easily obtain high system permissions. However, this article does not discuss these fatal vulnerabilities, but details how to remotely determine various settings of the IIS server, such as directory permissions and authentication methods, some things in the article are very old, but new things are worth reading. I hope this article will serve as an example. Okay, let's talk nonsense. Go ~!

Remotely determine Directory Permissions

Open an IIS server. In the IIS Service Manager, select a directory to view its properties.

There are some options in the directory attribute items (Log Access and indexing of this resource is not counted ):

Script resource access: the script for the website can read the original file.

Read the static Resources in the directory.

Write users can create and delete Resources

Directory browsing users can browse the directory content.

There are three options for the execution license set by the application:

None

Only scripts such as ASP scripts are allowed.

Various file types can be accessed and executed by scripts and executable programs

So, how can we determine the switch settings on the server? Don't worry. Come one by one.

Execution permission

How can I determine whether the execution permission is enabled for a directory? Send the following request to the server:

Http: // iis-server/dir/no-such-file.dll

/Dir/to determine the directory, the no-such-file.dll is to get a name, the server does not have this file.

The server returns a message for our request. If a 500 error is returned:

HTTP 500-Internal Server error (Internal Server error)

The execution permission of this directory is open. For servers, do not grant the execution permission. Especially for the execution permissions of virtual directories, you can understand the exploitation process of UNICODE and secondary Decoding Vulnerabilities.

If a 404 error is returned by the server:

HTTP 404-file not found

The execution permission of this directory is not enabled.

Write Permission

Use the following method to test whether a directory has write permissions for web users:

Telnet to the web port (80) of the server and send the following request:

PUT/dir/my_file.txt HTTP/1.1

Host: iis-server

Content-Length: 10 <enter>

At this time, the server will return a 100 (CONTINUE) message:

HTTP/1.1 100 Continue

Server: Microsoft-Microsoft IIS/5.0

Date: Thu, 28 Feb 2002 15:56:00 GMT

Then, we enter 10 letters:

AAAAAAAAAA

After sending this request, check the server's returned information. If the request is a 201 Created response:

HTTP/1.1 201 Created

Server: Microsoft-Microsoft IIS/5.0

Date: Thu, 28 Feb 2002 15:56:08 GMT

Location: http: // iis-server/dir/my_file.txt

Content-Length: 0

Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,

PROPPATCH, SEARCH, LOCK, UNLOCK

This indicates that the write permission for this directory is open. Otherwise, if a 403 error is returned, the write permission is

If you need to authenticate and return a 401 (Forbidden permission) response, the write permission is enabled, but anonymous users are not allowed. If "write" and "script and executable program" are enabled in a directory, web users can upload a program and execute it !~

Script-only execution permission

There are too many directories. Many directories that do not need the execution permission are also granted the script execution permission by the Administrator.

In an article by shotgun, he said: Minimum permissions + minimum services = maximum security; no error at all. It is unnecessary to grant any excessive permissions to the directory. It is also easy to determine whether a directory can execute a pure script file, and send a request such as the following:

Http: // iis-server/dir/no-such-file.asp

If the returned 404 file does not exist, the execution permission is granted. If the returned 403 file does not exist, the execution permission is disabled.

View directory permissions

It may take a little bit of tips to determine whether a directory allows browsing. However, if the default homepage (for example, default. asp) of a website does not exist, it will be much simpler. Enter:

Http: // iis-server/dir/

If the permission is on, the system will return a 200 response and list the content in the current directory. Otherwise, the system will turn off if the directory is not listed. However, what if default. asp exists on the default page? Click the address above to open the page. Don't worry,

WebDAV has a request method called PROFIND. This method allows us to obtain some information from the server resources, such as the file name, Creation Time, and last modification time. Using this method, we can also bypass default. asp to determine the directory browsing permission. telnet to the web port of IIS-server and send the following request:

PROPFIND/dir/HTTP/1.1

Host: iis-server

Content-Length: 0

At this time, the server will return a 207 Multi Status response. If the directory is accessible, the resources in the directory and their attributes will be listed at the same time. If directory browsing is not allowed, more information will be returned. In general, directory browsing can only be regarded as a low-risk vulnerability. For example, if an images directory contains nothing but images, it does not pose any harm to server security. However, if the directory contains an admin page. asp or some database connection information files may cause your server to be handed over to intruders.

Read Permission

It is easy to determine this. You can send a request with a txt file:

Http: // iis-server/dir/no-such-file.txt

If a response indicating that the 404 file does not exist is returned, the read permission is open. If the 403 error is returned, the read permission is disabled. People who have been exposed to security for a few years know that: $ DATA exposes the ASP source code vulnerability. In fact, if an asp script is in the directory, the read permission is not required, ASP only requires the script execution permission.

IIS authentication method judgment

This vulnerability was recently announced. the IIS server supports anonymous access, basic authentication, and windows integrated authentication using NTLM. If the client sends a request containing authentication information, IIS will forcibly try to use the authentication information for authentication, and return the response that does not respond. In this way, we can determine the IIS Authentication configuration.

To determine whether IIS supports basic authentication, telnet to port 80 on the server and send the following request:

GET, HTTP, 1.1

Host: iis-server

Authorization: Basic c3lzdGVtOm1hbmFnZXIA

This is a Basic authentication request, which contains a base 64-encoded user ID and PASS. The string following Basic is system: manager after base 64 decoding. If the server returns a 401 message, the basic authentication option is on. If 200 information is returned, there are two possibilities: the basic authentication option is not enabled or a user name on the server is

The username and password of the system are manager (if you guess it is correct, it will be a huge success ).

To determine whether the NTLM option is enabled, you can send the following request to IIS:

GET, HTTP, 1.1

Host: iis-server

Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa =

Similarly, if 401 messages are returned, NTLM is supported. If 200 is returned, the NTLM authentication option is disabled.

For most websites, these two authentication methods do not need to be enabled. They may leak important information about servers.

Leakage of internal IP address information

If the IIS server is in a NAT firewall, there is usually an internal address such as 10. x.

If the basic authentication option is enabled for IIS, you can obtain the internal IP address of the server by sending a simple request:

GET, HTTP, 1.1

Host:

Authorization: Basic c3lzdGVtOm1hbmFnZXIA

The server returns the following response:

HTTP/1.1 401 Access Denied

Server: Microsoft-Microsoft IIS/5.0

Date: Fri, 01 Mar 2002 15:45:32 GMT

WWW-Authenticate: Basic realm = "10.1.1.2"

Connection: close

Content-Length: 3245

Content-Type: text/html

10.1.1.2 is the internal IP address of the machine. Originally, the realm value is a Host Header provided by the client, but it is empty here. Therefore, IIS selects the local IP address instead. Similarly, the returned information of requests such as PROPFIND, WRITE, and MKCOL can also leak some host information. For example, we submit the following request to the server:

PROPFIND/HTTP/1.1

Host:

Content-Length: 0

 

 

When IIS is configured to use the host name (see later), the IP address of the host is not exposed, but the NetBIOS name is exposed. In fact, we can use IIS authentication to obtain more information, such as the domain name, by sending the following NTLM authentication request to the server:

 

 

GET, HTTP, 1.1

Host: iis-server

Authorization: negotiatetlrmtvntuaabaaaab4iaoaaaaaaaaaaaaaaaaaaaa

 

 

The server returns a message:

 

 

HTTP/1.1 401 Access Denied

Server: Microsoft-Microsoft IIS/5.0

Date: Fri, 01 Mar 2002 16:24:58 GMT

WWW-Authenticate: Negotiate tlmtvntuaacaaaadaamadaaaaafgokgegvyvuvy67u

AAAAAAAAAAEQARAA8AAAAUwBDAFkATABMAEEAAgAMAFMAQwBZAEwATABBAAEA

DABTAEMAWQBMAEwAQQAEAAwAUwBDAFkAT