mailing list archives
Re: General Webdav NSE script and the new IIS6 vulnerability
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 19 May 2009 20:39:05 +0000
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 19 May 2009 21:31:53 +0100
jah <jah () zadkiel plus com> wrote:
On 19/05/2009 21:05, Brandon Enright wrote:
Small world. I worked on this yesterday but I was not able to come
up with a way to determine if IIS 6 has WebDAV enabled. Does Kris's
script work on IIS 6? I gave up after about a hour of playing
curl/ncat on trying to detect if WebDAV is enabled.
I'm playing with the same thing, but haven't got very far. I find
that the PROPFIND method returns HTTP/1.1 501 Not Implemented if
webdav is set to 'prohibited' and HTTP/1.1 207 Multi-Status if it's
allowed. I've only tried this on Windows SBS 2003 SP1 so I don't
know at this point whether this is a reliable way to detect whether
webdav is enabled for different IIS builds and configurations. I
haven't tried Kris's script yet, but intend to if it turns out that
PROPFIND doesn't reliably work.
So I know better than to ask if something works without testing it. It
seems Kris's script requires the HTTP OPTIONS request to be supported
which on most of the IIS 5 servers I tried returned HTTP 400. It did
return positive on a few IIS 5 servers that I know are running WebDAV.
Regarding II6, I tried several IIS 6 servers I know are running WebDAV
and they all returned both 0 for WebDAV properties and 0 for DetlaV
So not to stop there, I modified Kris's script to print out something
for each of the failures. The "nope # #" is the count of WebDAV
options and DeltaV options respectively. I only scanned machines I
know are running IIS 6:
1 |_ webdav: Got bad status: 301
9 |_ webdav: Got bad status: 302
42 |_ webdav: Got bad status: 400
34 |_ webdav: Got bad status: 401
57 |_ webdav: Got bad status: 403
45 |_ webdav: Got bad status: 404
285 |_ webdav: nope 0 0
At least a dozen of these machines are running WebDAV.
The best idea I came up with yesterday was to brute force/crawl to find
protected folders and then check to see if the exploit worked. I
dismissed this as too slow/unreliable yesterday.
I'd *love* to see a WebDAV script, especially one that checks for this
Unicode authentication bypass. Anybody have any ideas on how to
reliably check for WebDAV on IIS 6?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org