Penetration Testing mailing list archives

Re: [PEN-TEST] Question regarding IIS method options & www versio n

From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Tue, 5 Dec 2000 22:47:34 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----Original Message-----
From: Pen Tester [mailto:pen_tester () HOTMAIL COM]
Sent: Tuesday, December 05, 2000 4:25 PM

Basically, a lot of vulnerability scanners will tell you that
there are
findings related to www method options and www version
displayed.  What the
scanners do NOT tell you is how to fix these issues.  Vague
responses like
shut PUT/DELETE off, do not display version etc etc.  I have
found only 1
server that is very flexible and the information to fix this
easy.  Apache.
However Netscape and IIS I haven't been able to find any
documentation removing these options & version.  Is it even
possible?  The  RFC says this should be a configurable option.



You should be able to use a hex editor and either change or pre-empt
(with \0) the strings for these commands. In another list we were
discussing changing the banner that identifies IIS' FTP and web
services. The same way you should be able to 'remove' the strings for
LINK, PUT, DELETE and whatever else you would like to remove.

Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOi3E5kRKym0LjhFcEQJoeQCg1JGXd+IZ0G9z1DN+OlgEstZF7FUAoMlM
vGVQ6Twxarw0jI4dJ4lygoVI
=90WF
-----END PGP SIGNATURE-----

Current thread:

Re: [PEN-TEST] Question regarding IIS method options & www versio n Frank Knobbe (Dec 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Question regarding IIS method options & www versio n Oman, R. Andrew (Dec 07)
- Re: [PEN-TEST] Question regarding IIS method options & www versio n Pen Tester (Dec 07)