Nmap Development mailing list archives
Re: General Webdav NSE script and the new IIS6 vulnerability
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 19 May 2009 20:39:05 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 19 May 2009 21:31:53 +0100 jah <jah () zadkiel plus com> wrote:
On 19/05/2009 21:05, Brandon Enright wrote:Small world. I worked on this yesterday but I was not able to come up with a way to determine if IIS 6 has WebDAV enabled. Does Kris's script work on IIS 6? I gave up after about a hour of playing curl/ncat on trying to detect if WebDAV is enabled.
I'm playing with the same thing, but haven't got very far. I find that the PROPFIND method returns HTTP/1.1 501 Not Implemented if webdav is set to 'prohibited' and HTTP/1.1 207 Multi-Status if it's allowed. I've only tried this on Windows SBS 2003 SP1 so I don't know at this point whether this is a reliable way to detect whether webdav is enabled for different IIS builds and configurations. I haven't tried Kris's script yet, but intend to if it turns out that PROPFIND doesn't reliably work. jah
So I know better than to ask if something works without testing it. It seems Kris's script requires the HTTP OPTIONS request to be supported which on most of the IIS 5 servers I tried returned HTTP 400. It did return positive on a few IIS 5 servers that I know are running WebDAV. Regarding II6, I tried several IIS 6 servers I know are running WebDAV and they all returned both 0 for WebDAV properties and 0 for DetlaV properties. So not to stop there, I modified Kris's script to print out something for each of the failures. The "nope # #" is the count of WebDAV options and DeltaV options respectively. I only scanned machines I know are running IIS 6: 1 |_ webdav: Got bad status: 301 9 |_ webdav: Got bad status: 302 42 |_ webdav: Got bad status: 400 34 |_ webdav: Got bad status: 401 57 |_ webdav: Got bad status: 403 45 |_ webdav: Got bad status: 404 285 |_ webdav: nope 0 0 At least a dozen of these machines are running WebDAV. The best idea I came up with yesterday was to brute force/crawl to find protected folders and then check to see if the exploit worked. I dismissed this as too slow/unreliable yesterday. I'd *love* to see a WebDAV script, especially one that checks for this Unicode authentication bypass. Anybody have any ideas on how to reliably check for WebDAV on IIS 6? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkoTGPAACgkQqaGPzAsl94Ka4wCgw3br69HWWioFCl9D2OlJMa8Q JykAn0K418Zzz5RwmxrcHrOZt1NBZ2uR =50oG -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- General Webdav NSE script and the new IIS6 vulnerability Fyodor (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability Brandon Enright (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability jah (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability Brandon Enright (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability jah (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability Kris Katterjohn (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability Gutek (May 20)
- Re: General Webdav NSE script and the new IIS6 vulnerability Brandon Enright (May 19)