Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Scanning for WebDAV vulns
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Wed, 20 May 2009 22:05:02 -0500

Ron wrote:
Hi again,

We've made a number of updates to the script, mostly written by a friend
of mine, including:
1) Adding support for discovering whether or not WebDAV is enabled
2) Checking if root folder is protected (we can't do checks if it is)
3) We support Windows XP (IIS 5.1) now.

I've committed that change to SVN if anybody wants to give it a try --
please test it if you can, and let me know if you get any weird errors.
We tried to account for every situation.

Also, if anybody knows how to exploit this on IIS 5.0 (Windows 2000),
please let me know -- we couldn't figure out a way.

Ron


Ron,

I've done a bit of testing on your script against a couple of my systems, and for the most part it appears to work very well. It correctly detected WebDAV enabled or disabled on the systems I ran it against, and also correctly detected that the unpatched systems with WebDAV enabled were vulnerable. However, I noticed a typo on line 148 (I'm working w/SVN revision 13361) where you have pring_debug instead of print_debug. This leads to the following error when running with -d and --script-trace:

NSE: http-iis-webdav-vuln threw an error!
./scripts/http-iis-webdav-vuln.nse:148: attempt to call field 'pring_debug' (a nil value)
stack traceback:
./scripts/http-iis-webdav-vuln.nse:148: in function <./scripts/http-iis-webdav-vuln.nse:135>

This particular incident was running against a Windows XP machine, IIS 5.1, with WebDAV disabled through registry settings.

The other suggestion that I have is to possibly add port 443 and/or the service "https" to the portrule, similar to the way http-auth and http-passwd do. This allows the script to run against secure web servers without having to perform version scanning with -sV.

Thanks for your great work on this script.

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault