how to exploit iis 6

Viewing 30 reply threads
  • Author
    Posts
    • #6971
      White ghost
      Participant

      Hello and please help me !
      im a new member of ethicalhacker.net its prety good but i have bad damn problem with iis 6. in pentration test duration. the webDAV service is closed on the iis web server and icant use web dav exploit please help me to exploit the iis server

    • #43312
      Anonymous
      Participant

      If you don’t have access to webdav try and think what you do have access too. Maybe you cant exploit the machine!

    • #43313
      White ghost
      Participant

      No mr Jamie.R i scanned the web server with metasploit webdav scanner ans i sure the webdav service is of other iis exploits in metasploit is for iis 4 and 5 is not for iis 6 do you have an exploit code or a tool or some thing like that

    • #43314
      White ghost
      Participant

      i can crack the ftp passwoed but about the iis not thing please heeeeeelp mee!!!!!!!!!!!!!!!!!!!!!! 😉

    • #43315
      Triban
      Participant

      It is possible that the webDAV service may have been patched or a workaround has been configured to prevent such attack.  What exploit are you trying to use?  CVE?

    • #43316
      White ghost
      Participant

      i wanna use iis webdav upload asp exploit in metasploit with windowsmeterpreterreverse tcp but its not working

    • #43317
      Triban
      Participant

      What is the error you receive?  Are you attacking from internal or external?  A number of factors may come into play.  Firewall may be using egress filtering and not allowing the traffic to go out over your reverse_tcp session.  IPS may be blocking the attack or the admins may have implemented the workaround from http://osvdb.org/397. 

    • #43318
      White ghost
      Participant

      When the exploit process is completed the metasploit gives me this message (exploit is completed but no session was created) i think you are right maybe the firewall is block my session do you have solution for this?

    • #43319
      White ghost
      Participant

      and i forgot to tell you something 3xban my attack to the web server is external

      Thanx alot for helping me

    • #43320
      White ghost
      Participant

      iAnyone have another exploit or tools to hack iid 6?

    • #43321
      Triban
      Participant

      You may have to consider another way to pop the box.  IIS may not be a viable attack vector if it has been properly hardened and the outter defenses are also hardened.  Just because something is present, doesn’t always mean it is exploitable.

    • #43322
      White ghost
      Participant

      Yes 3xban but i must show iis vulnerability to my boss he likes this
      damn service and also i cant go to my office and attack to the web server

    • #43323
      Triban
      Participant

      Well there is nothing wrong with IIS.  The other option is to run a vulnerability scan against it using  a tool like NESSUS or run Microsoft Baseline Security Analyzer (MBSA) against it to see if there are any issues that need resolving.  If the NESSUS scan and MBSA scans come back clean, then there isn’t much else to report.  If there is any specific Web Application running (other than IIS) then you can utilize a number of Web App security testing packages to report if there are any vulnerabilities there. 

      So why can’t you review the box at the office?

    • #43324
      White ghost
      Participant

      because i wanna act like a malicious hacker im a help desk an my office i have credential on the office but work is not malicious i have
      permission to do that!

    • #43325
      hayabusa
      Participant

      Wait…  You’re saying you’re ‘helpdesk’ and at work you have permission, but you DON’T for this?

      Are you certain you’ve been assigned to, or are being allowed to, test this website / webserver?

      This thread reads like you’re trying to prove a point, without permission…..

      Please clarify EXACTLY what it is you’re doing, and why.

    • #43326
      White ghost
      Participant

      i have permission for pentest

    • #43327
      White ghost
      Participant

      and i made this topic for iis 6 hacking not for some thing around my permissionss or credentials!

      and thank 3xban for MSBA  i dwonloaded it
      its amazing

    • #43328
      Triban
      Participant

      No problem.  As for IIS 6 well sometimes you just need to realize that it may not be exploitable based on what is in use.  Not to say that IIS 6 is not vulnerable to other attacks, but if the network is configured properly it is very difficult to use things like reverse TCP shells.  So you need to say “Well this particular server does not make a viable attack vector because…” and state that it is possible that proper firewall rules are in place as well as IDS/IPS systems preventing the attack from happening. 

      IIS 6 is still currently supported by MS so there are regular updates available and there are hardening processes available.  So if the person who configured the server originally new his stuff, then that server might be locked down tight.  If you review the last few big breaches you will see that it wasn’t necessarily the version of software that was a problem but the configuration in the particular application.  So it wasn’t necessarily because IIS had ASP configured but an application configured with ASP.NET may have not been properly coded and XSS was allowed or the code to the SQL backend wasn’t secured and SQLi was allowed.

      Now if your MBSA report of that server came back green then there may not be any easily exploitable vulnerabilities on the Microsoft end of town.  You then have to look at the specific web apps and try there.  If it is custom written code then there very well could be some user created vulnerabilities.  If there are no apps and its just a regular old web server well you might not have too many options. 

    • #43329
      hayabusa
      Participant

      @White ghost wrote:

      and i made this topic for iis 6 hacking not for some thing around my permissionss or credentials!

      and thank 3xban for MSBA  i dwonloaded it
      its amazing

      Easy there, White ghost…  I know what you started this thread for.

      I understood your reasoning, but for a moment, it just seemed that your motives might’ve been ill-mannered, or at the least, misguided.  And, if you come with attitude, because I simply asked the question, I don’t rightly care what your thread was posted about… 

      For all we’d known, you could just as easily have been a malicious kid, trying to learn the topics for the wrong reason, and feeding us a line.

      Look at it from my perspective, and what would you have ascertained?  It’s relatively rare (at least around these parts) for a Helpdesk person to have anything to do with pentesting in their company, and when your post inferred lack of permissions, when you aren’t in the office…

      So ease up with the defensive attitude…

      I’m glad to see 3xban’s info was worthwhile for you.

    • #43330
      White ghost
      Participant

      hey you hayabusa listen to me
      i dont have to explian you andDon’t slander to me without a valid reason i study CEH and im beginner in hackers world if and i just spoke with 3xban not yes im a help desk in a small company as i said i wanna act like malicious hacker because my boss knows i can gain access to the web server with my cerdential in the office
      and you if you dont wanna help my dont post to this topic again

    • #43331
      White ghost
      Participant

      [move:1oayymgr]Thank you 3xban[/move:1oayymgr]
      you surprised me with you useful info i start scanning our web server
      and i will tell about the result later thanx again and
      [tt:1oayymgr]GOOOOOOOD LUUUUUUUUCCCKKKK[/tt:1oayymgr]

    • #43332
      hayabusa
      Participant

      Ok…  You win.  You’ll get no more response (or help) from me, after this post – on this thread, or any other, because your attitude is shining through.  You’re taking this way too seriously.  I asked you a question, because things seemed fishy.  You fired back, guns blazing.  Simply clarifying would have been enough.  Period.  And then we’d be getting along, wonderfully.

      I even – nicely – responded at the end of my previous post, saying that I was glad 3xban’s post was helpful to you.

      Anyway…  Good luck in your efforts.  Whether or not you choose to believe me, I wish you well.  But until you want to realize otherwise, that my intentions were justified, you’ve burned a bridge.  Take care.

    • #43333
      White ghost
      Participant

      hello and sorry for my attitude

      im so sorry for that but your attitude was not good too you never helped me about my problem look at your posts in my topic when you told me
      ( For all we’d known, you could just as easily have been a malicious kid, trying to learn the topics for the wrong reason, and feeding us a line. ) i was very upset because
      i didnt notthing wrong im from Turkey and i cant speak english very well. by the i like to continue this conversation with you in the topic if you like it

    • #43334
      Triban
      Participant

      I’m glad my information was helpful.  Though I will side with Hayabusa on the attitude adjustment.  I tend to try and help where I can here since these guys are full of awesome information and are always helpful when the need is legitimate.

      My rule of thumb is that if you are new to a group such as this, you need to observe a bit.  Understand the group better and who the top players are.  If you jump right in and start off with asking questions for help, usually that is a red flag.  I am sorry that I didn’t question your motives sooner but as I said, I tend to be a helpful guy.  When you get overly defensive on something, it leads us to believe your motives may be more on the UN-ethical side of things. 

      As you mentioned you are from Turkey and the language barrier may have you coming off a bit more defensive than expected.  And that is fine.  From our standpoint there is at least one post a day that is someone asking for help or looking to hire someone to perform some unsavory tasks.  We tend to probe the individual before answering any questions.  I figured my suggestions were nothing you cannot find on google so I didn’t see any threat in answering your questions.  If you truly mean to get educated here and use your powers for good instead of evil, then please continue being part of the community.  If not, well then like Hayabusa said, you will not get any additional help from us.

      Good luck.

    • #43335
      White ghost
      Participant

      yes you are right

    • #43336
      White ghost
      Participant

      and what do you wanna know?!

    • #43337
      hayabusa
      Participant

      @White_ghost –

      No harm, no foul.  So long as you’re understanding of WHY I asked what I did, initially, and we’re past any hostilities, I’m happy to meet / know you.  As 3xban noted we generally ‘feel out’ the new person / situation, before simply replying.  Thus, my initial questioning.

      That said, if you have further questions, post away, and we’ll see about helping. 

      Again, I / we don’t mean to offend you, and if I did, you have my apologies.  As 3xban noted, I think the language barrier didn’t help you to follow my meanings, and as he noted, if you dig around a bit, here, you’ll see I don’t generally respond with an attitude, but rather, one of caution, if I have any initial doubts.  I just ask that you consider it from our perspective, and I think you’ll understand why I asked what I did, in the context of ‘ethical hacking.’

      Take care, and again, good luck!

    • #43338
      White ghost
      Participant

      hello 3xban and hayabusa
      and whats up?!
      i have a problem with MBSA i can scan computers in my local subnet
      but about our web server i cant scan it from internet it gives me this error:

      Could not resolve the computer name: . Please specify computer name, domaincemputer, or an IP address.

      and then when i user the server IP address its gives me this message
      again.

      my internet connectivity is well the dns server are working properly
      i can ping our server i can run a port scanner like nmap on it
      and every thing is great except MBSA program

      i have backtrack linux can i use nikto to scan our server or whats your recommended

      and again thank you for your helping
      and good luck

    • #43339
      Triban
      Participant

      MBSA can only be used on the internal network and you need rights to the system you are scanning.  It is a Sys Admin tool, not a penetration testing tool.  It requires a number of ports open that are typically opened to local network resources.  WMI is one of the main components it utilizes.

    • #43340
      White ghost
      Participant

      all right what about nikto and other web scanners on backtrack linux

    • #43341
      l33t5h@rk
      Participant

      I think before you just start going through tools, you should map out your plan for the demonstration. As you’re using Metasploit …

      Intelligence Gathering
      Steps X,Y,Z
      Threat model X,Y,Z
      Known/Discovered Vulnerabilites X,Y,Z
      Exploitation (your Proof of concept) QED

      Showing your boss a detailed plan and how you obtained the results would be more beneficial than what has been listed so far. Also, I’d be very careful if this is on a production box. Work in non-prod regions of SDLC if possible.

Viewing 30 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?