mailing list archives
Re: Scanning for WebDAV vulns
From: Thomas Buchanan <tbuchanan () thecompassgrp net>
Date: Wed, 20 May 2009 22:05:02 -0500
We've made a number of updates to the script, mostly written by a friend
of mine, including:
1) Adding support for discovering whether or not WebDAV is enabled
2) Checking if root folder is protected (we can't do checks if it is)
3) We support Windows XP (IIS 5.1) now.
I've committed that change to SVN if anybody wants to give it a try --
please test it if you can, and let me know if you get any weird errors.
We tried to account for every situation.
Also, if anybody knows how to exploit this on IIS 5.0 (Windows 2000),
please let me know -- we couldn't figure out a way.
I've done a bit of testing on your script against a couple of my
systems, and for the most part it appears to work very well. It
correctly detected WebDAV enabled or disabled on the systems I ran it
against, and also correctly detected that the unpatched systems with
WebDAV enabled were vulnerable. However, I noticed a typo on line 148
(I'm working w/SVN revision 13361) where you have pring_debug instead of
print_debug. This leads to the following error when running with -d and
NSE: http-iis-webdav-vuln threw an error!
./scripts/http-iis-webdav-vuln.nse:148: attempt to call field
'pring_debug' (a nil value)
./scripts/http-iis-webdav-vuln.nse:148: in function
This particular incident was running against a Windows XP machine, IIS
5.1, with WebDAV disabled through registry settings.
The other suggestion that I have is to possibly add port 443 and/or the
service "https" to the portrule, similar to the way http-auth and
http-passwd do. This allows the script to run against secure web
servers without having to perform version scanning with -sV.
Thanks for your great work on this script.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org