MS IIS - WebDAV
Last updated
Last updated
Microsoft Internet Information Services (IIS) is a proprietary web server developed by Microsoft for the Windows NT family. It supports hosting both static and dynamic websites and web applications, including those built in ASP.NET and PHP. IIS provides a user-friendly graphical interface for administrators to manage and configure websites, typically running on ports 80 (HTTP) and 443 (HTTPS). Supported file extensions include .asp, .aspx, .config, and .php, making it versatile for handling various web technologies.
WebDAV (Web-based Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers, essentially turning a web server into a file server. It runs on Microsoft IIS, typically on ports 80 or 443, and requires legitimate credentials (username and password) for authentication. In exploitation, attackers may first identify if WebDAV is enabled on IIS, then attempt brute-force attacks to discover valid credentials. Once authenticated, they can upload malicious files, like an .asp payload, to execute commands or gain control over the target system.
Hydra will attempt to guess valid login credentials by using a list of usernames (specified with -L) and a list of passwords (specified with -P). It sends HTTP GET requests to the target IP at the specified WebDAV directory, systematically trying combinations of usernames and passwords until it finds a match or exhausts the lists. This method is typically used to test the security of a web server's authentication system.
davtest: davtest is a tool used to scan, authenticate, and exploit WebDAV servers. It automates attempts to upload various file types (e.g., .asp, .php, .jsp) to test whether the server is vulnerable to malicious uploads.
It first creates a directory in the WebDAV folder, then attempts to upload files with various extensions. After uploading, it checks if the test files can be executed on the server. This process helps determine whether it's possible to upload and execute malicious files, like webshells, which could be used to gain unauthorized access.
cadaver: cadaver is a command-line WebDAV client that supports file uploads, downloads, on-screen displays, in-place editing, file manipulation (like move and copy), creation/deletion of directories, and resource locking. It acts like a remote file system manager.
An ASP payload using msfvenom refers to a malicious script created in ASP (Active Server Pages) format using the msfvenom tool from Metasploit. msfvenom is used to generate various types of payloads that can exploit vulnerabilities on a target system. In this case, it creates an ASP payload that can be uploaded to and executed on a web server running ASP, potentially providing attackers with control over the system.
The command is used to generate a reverse shell payload in ASP format using the Metasploit msfvenom tool. The payload is configured to connect back to the attacker's machine (specified by LHOST and LPORT) using the Meterpreter shell over a TCP connection. The generated payload is saved as shell.asp, which can be uploaded and executed on a vulnerable web server, allowing the attacker to gain remote access to the system.
The -f asp option specifies the output format of the payload as an ASP file, which is suitable for web servers running ASP. If you're unsure of the remote system's architecture, it's recommended to select a 32-bit payload, as it is more likely to be compatible with both 32-bit and 64-bit systems, ensuring a higher chance of successful exploitation.
After uploading and running the shell.asp file on the target server, the reverse shell will be activated. This will establish a connection back to the attacker's machine, allowing them to interact with the webshell through the Metasploit framework (msf), enabling remote access and control of the target system.
