Penetration Testing mailing list archives
Re: Detecting if SecureIIS from Eeye is installed
From: "Ryan Permeh" <ryan () eeye com>
Date: Tue, 22 Jan 2002 22:13:12 -0800
hi. take into account that the content of what is returned is configurable by the server administrator (that is just our default message). and turning head on as a supported method may stop the 406 message. but yes, SecureIIS can be identified by the fact that it does not send textual error data when it handles a request. As you have noted, SecureIIS was not inteded to be a stealth module, and the fact that an IIS web server returns a 406 error at all should be a good tip(i'm not positive IIS generates those naturally in any normal context). hope there isn't any confusion here. Ryan ----- Original Message ----- From: "Sacha Faust" <sacha () severus org> To: <pen-test () securityfocus com> Sent: Monday, January 21, 2002 7:09 PM Subject: Detecting if SecureIIS from Eeye is installed
This is not something big and I don't consider it a bug but it's something that migh be usefull when trying to brake an IIS server. I don't have a copy of the software so
I
don't know if this is cause by misconfiguration or something else. While debugging after someone mentionned a problem with an early version
of
Metis 1.1, I saw that you can detect the presence of the SecureIIS product from Eeye
by
issuing an HEAD request on any files or folder and looking at the return data. The SecureIIS will return HTTP error code 406 (Not Acceptable), Content-Length: 1176 and Content-Type: text/html. It will also announce itself in the reply message. Here is an example E:\Metis>nc -v www.site.com 80 www.site.com [111.111.111.111] 80 (http) open HEAD / HTTP/1.1 406 Server: Microsoft-IIS/4.0 Date: Tue, 22 Jan 2002 02:23:42 GMT Content-Type: text/html Content-Length: 1176 <HTML> <BODY text=#000000 vLink=#ff9900 link=#ff9900 bgColor=#ffffff> <TABLE cellSpacing=5 cellPadding=3 width=400> <TBODY> <TR> <TD vAlign=center align=left width=400><FONT face=Verdana,Arial,Helvetica size=2><FONT size=3><B>SecureIIS application firewall security alert</B></FONT><BR><BR><BR>HTTP Request caused a security alert, please contact our web master if you are getting this alert in
error.<BR><BR>
<HR> <BR><B>What is SecureIIS</B><BR>SecureIIS offers websites running Microsoft Internet Information Server a broad range of protection from common vulnerabilities, both known and unknown. Because
SecureIIS
does not protect against specific vulnerabilities, but classes of vulnerabilities, it allows for a much more far reaching layer of security. <BR><BR> <HR> <BR>For more information on SecureIIS, please visit <A href="http://www.eeye.com/SecureIIS/">http://www.eeye.com/SecureIIS/</A><B R><BR><B><FONT color=#ff7000>eEye</FONT>Ö Digital Security</B> - <I>Vulnerability
Is
Over...</I></FONT></TD></TR></TBODY></TABLE></BODY></HTML> --------- Sacha Faust sacha () severus org Metis : http://www.ideahamster.org/tid.htm --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Detecting if SecureIIS from Eeye is installed Sacha Faust (Jan 22)
- Re: Detecting if SecureIIS from Eeye is installed Ryan Permeh (Jan 23)
- Questions on GSM Penetration test ricci_ieong (Jan 24)
- Re: Questions on GSM Penetration test Tom Buelens (Jan 25)
- Re: Questions on GSM Penetration test M Lister (Jan 26)
- Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
- Re: Questions on GSM Penetration test M Lister (Jan 27)
- Re: Questions on GSM Penetration test Tom Buelens (Jan 27)
- RE: Questions on GSM Penetration test Fernando Cardoso (Jan 28)
- Re: Questions on GSM Penetration test Wouter Slegers (Jan 31)
- Questions on GSM Penetration test ricci_ieong (Jan 24)
- Re: Detecting if SecureIIS from Eeye is installed Ryan Permeh (Jan 23)
- Re: Questions on GSM Penetration test Martin Tomasek (Jan 27)
- Re: Questions on GSM Penetration test John Adams (Jan 28)