Day 18/100 of #cybertechdave100daysofcyberchallenge - IIS and WebDAV

Today we will continue from yesterday and show one of many ways to exploit a vulnerability in IIS respectively WebDAV

What is IIS and what does it stand for?

It is an extensible web server software developed by Microsoft for the Windows NT family. And IIS stands for Internet Information Service.

• Primarily this software is used to host web pages and it provide admins a robust GUI for managing the web site
• We can develop static and dynamic websites using ASP.NET and PHP
• Supported file extensions are: .asp, .aspx, .config, .php

What is the meaning of WebDAV mentioned in the intro?

• WebDAV is a set of HTTP extensions that allow to collaboratively edit and manage files on a remote server
• Essentially it allows the IIS Web Server to function as a file server
• To connect to the service a set of credentials is required -> commonly via username and password

How could a possible exploitation process look like?

• First we need to identify if WebDAV is configured on the web server
• If we do not have valid credentials we try a brute force attack
• If we have valid credentials, we authenticate to the WebDAV service, we can then look for sensitive data
• As a last step we can for example try to create a web shell to execute commands on the web server

How do we identify the service?

Here Nmap and in particular a nmap script was introduced as a technique:

Nmap -sV -p 80,443 -script=http-enum <ip>

• The script checks if the directory "/webdav/" is present -> indicates the presence of the service
• The HTTP status code ?401 unauthorized“ indicates that authentication is enabled

Let's try to brute-force credentials with the tool "hydra" already used several times:

• Hydra -L <username_list> -P <password_list> <ip> http-get /webdav/

Note:

• This technique should definitely be used with caution, as it may cause a denial of service in some circumstances

Once we have succeeded with our brute-force attack and obtained a valid set of credentials, we can use the following tools to simplify our exploitation process:

The first tool is "davtest“ (https://www.kali.org/tools/davtest/)

• With this tool we can scan WebDAV services, authenticate to it and also exploit it

Test if an authentication has to be done:

• davtest -url <domain>

Perform a series of tests, including: creating a directory, uploading different file types, testing which file types can be executed on the server:

• davtest -auth <username>:<password> -url <domain>

Note:

• The tool does not upload malicious files when testing the file types
• With the help of this tool we can prepare the use of our next tool

We then continue with "cadaver" (https://www.kali.org/tools/cadaver/):

• The tool provides a number of functionalities such as: file upload and download, on-screen displaying, in-place editing, namespace operations like move and copy, creating and deleting collections, property manipulation or resource locking

We use the tool as follows:

Authenticate to WebDAV:

• cadaver <domain>/webdav/
• Entering the credentials
• Getting a shell

Upload a webhell (for example one provided on Kali)

• put <path_to_webshell> (eg. on Kali /usr/share/webshells)
• Execute commands via the form created by the webshell

And that's it for today. :)

#cybertechdave100daysofcyberchallenge?#100daysofhacking?#penetrationtesting?#ine?#eJPTv2