Re: Detecting if SecureIIS from Eeye is installed

["Ryan Permeh" <ryan () eeye com>]

hi.
take into account that the content of what is returned is configurable by
the server administrator (that is just our default message).  and turning
head on as a supported method may stop the 406 message.  but yes, SecureIIS
can be identified by the fact that it does not send textual error data when
it handles a request.  As you have noted,  SecureIIS was not inteded to be a
stealth module, and the fact that an IIS web server returns a 406 error at
all should be a good tip(i'm not positive IIS generates those naturally in
any normal context).

hope there isn't any confusion here.

Ryan
----- Original Message -----
From: "Sacha Faust" <sacha () severus org>
To: <pen-test () securityfocus com>
Sent: Monday, January 21, 2002 7:09 PM
Subject: Detecting if SecureIIS from Eeye is installed


> This is not something big and I don't consider it a bug but it's something
> that migh be usefull
> when trying to brake an IIS server. I don't have a copy of the software so
I
> don't know if this is cause by misconfiguration or something else.
> While debugging after someone mentionned a problem with an early version
of
> Metis 1.1,
> I saw that you can detect the presence of the SecureIIS product from Eeye
by
> issuing an HEAD request on any files or folder and looking at the return
> data.
> The SecureIIS will return HTTP error code 406 (Not Acceptable),
> Content-Length: 1176 and Content-Type: text/html. It will also announce
> itself in the reply message. Here is an example
>
> E:\Metis>nc -v www.site.com 80
> www.site.com [111.111.111.111] 80 (http) open
> HEAD /
>
> HTTP/1.1 406
> Server: Microsoft-IIS/4.0
> Date: Tue, 22 Jan 2002 02:23:42 GMT
> Content-Type: text/html
> Content-Length: 1176
>
> <HTML>
> <BODY text=#000000 vLink=#ff9900 link=#ff9900 bgColor=#ffffff>
> <TABLE cellSpacing=5 cellPadding=3 width=400>
>   <TBODY>
>   <TR>
>     <TD vAlign=center align=left width=400><FONT
> face=Verdana,Arial,Helvetica
>       size=2><FONT size=3><B>SecureIIS application firewall security
>       alert</B></FONT><BR><BR><BR>HTTP Request caused a security alert,
> please
>       contact our web master if you are getting this alert in
error.<BR><BR>
>       <HR>
>       <BR><B>What is SecureIIS</B><BR>SecureIIS offers websites
>       running Microsoft Internet Information Server a broad range of
> protection
>
>       from common vulnerabilities, both known and unknown. Because
SecureIIS
>       does not protect against specific vulnerabilities, but classes of
>       vulnerabilities, it allows for a much more far reaching layer of
> security.
>
>       <BR><BR>
>       <HR>
>       <BR>For more information on SecureIIS, please visit <A
>
> href="http://www.eeye.com/SecureIIS/";>http://www.eeye.com/SecureIIS/</A><B
> R><BR><B><FONT
>       color=#ff7000>eEye</FONT>Ö Digital Security</B> - <I>Vulnerability
Is
>       Over...</I></FONT></TD></TR></TBODY></TABLE></BODY></HTML>
>
>
>
>
> ---------
> Sacha Faust
> sacha () severus org
> Metis : http://www.ideahamster.org/tid.htm
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/